Risk
Risk is the potential for an unwanted outcome resulting from an action or inaction. It is an uncertain event that, if it occurs, could have a positive or negative effect on objectives. It is typically measured by combining the probability of an event and the magnitude of its impact.
17th Century
3
Definitions
Project Management Context
In the context of project management, a risk is defined as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality. This modern definition is crucial because it encompasses both threats (negative risks) and opportunities (positive risks).
Key concepts include:
- Probability: The likelihood that the risk event will occur.
- Impact: The potential effect on the project objectives if the risk occurs. It can be positive or negative.
- Risk Exposure: Often calculated as Probability × Impact, it quantifies the overall threat or opportunity level of a risk.
For example, a negative risk could be a key supplier going out of business, causing delays. A positive risk, or opportunity, could be a new technology becoming available earlier than expected, which could reduce project costs and duration.
Finance and Investment Context
In finance and investment, risk refers to the degree of uncertainty and/or potential financial loss inherent in an investment decision. It is the chance that an investment's actual gains will differ from its expected returns, including the possibility of losing some or all of the original amount invested.
Types of financial risk include:
- Market Risk: The risk of losses in positions arising from movements in market prices (e.g., stock prices, interest rates).
- Credit Risk: The risk of loss arising from a borrower who fails to make payments as promised.
- Liquidity Risk: The risk that an asset cannot be sold quickly enough in the market to prevent a loss.
For instance, investing in stocks is considered to have a higher risk and potential for higher returns compared to investing in government bonds, which are generally seen as a lower-risk investment.
Information Security Context
In information security and cybersecurity, risk is the potential for loss or damage when a threat exploits a vulnerability. It is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
The formula is often conceptualized as: Risk = Threat × Vulnerability × Impact
- Threat: A potential cause of an unwanted incident, which may result in harm to a system or organization.
- Vulnerability: A weakness in an asset or control that can be exploited by one or more threats.
- Impact: The magnitude of harm that can be expected to result from the consequence of a threat successfully exploiting a vulnerability.
An example is the risk of a data breach (impact) due to a hacker (threat) exploiting an unpatched software flaw (vulnerability).
Origin & History
Etymology
The term 'risk' entered English in the mid-17th century from the French 'risque', which in turn came from the Italian 'risco' or 'rischio'. The Italian term is believed to have originated from the Greek 'rhiza', referring to the hazards of sailing around a cliff, metaphorically representing a danger to be avoided.
Historical Context
The concept of risk is ancient, but its formal study is more recent. In ancient times, risk was often associated with fate, luck, or the will of deities, viewed as something beyond human control. It was a **hazard** faced in endeavors like sea voyages or warfare. The turning point came in the 17th century with the development of probability theory by mathematicians like Blaise Pascal and Pierre de Fermat. Their work, initially focused on games of chance, provided the mathematical tools to quantify uncertainty, transforming the concept of risk from pure fate into something that could be measured, analyzed, and managed. In the 20th century, risk became a central concept in various fields. Harry Markowitz's Modern Portfolio Theory (1950s) revolutionized finance by showing how to manage investment risk through diversification. In project management, methodologies like PERT (Program Evaluation and Review Technique) and later the PMBOK® Guide formalized risk management processes. The digital age introduced new dimensions, with cybersecurity **risk** becoming a paramount concern for organizations worldwide.
Usage Examples
The project manager identified a major risk: a key supplier might go out of business, so they developed a mitigation plan to address the threat.
High-yield bonds offer greater returns but come with a higher risk of default, representing a significant financial peril for incautious investors.
Leaving the server unpatched increased the company's exposure to cybersecurity risks from known vulnerabilities.
By entering a new, unproven market, the startup accepted the risk in hopes of capturing a massive opportunity.
Frequently Asked Questions
What are the two main components used to measure risk?
The two primary components used to measure or quantify a risk are its probability (or likelihood) of occurring and its impact (or consequence) if it does occur. Risk is often expressed as a function of these two factors, such as Risk = Probability × Impact.
How does a 'risk' differ from an 'issue' in project management?
A risk is a potential future event that might happen and would affect project objectives. It is an uncertainty. An issue is a problem, obstacle, or event that is currently happening or has already occurred. In essence, a risk that materializes becomes an issue.
Can a risk have a positive outcome?
Yes. In modern management frameworks, a risk is simply an uncertain event. While negative risks are called 'threats', positive risks are called 'opportunities'. An example of an opportunity is the risk that a key resource might become available sooner than planned, allowing the project to finish ahead of schedule.