Pages

Risk

Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome exists (or existed). Potential losses themselves may also be called "risks". Almost any human endeavor carries some risk, but some are much more risky than others.

Definitions of risk

The many inconsistent and ambiguous meanings attached to "risk" lead to widespread confusion and also mean that very different approaches to risk management are taken in different fields. For example:

The ISO 31000 (2009) /ISO Guide 73 definition of risk is the 'effect of uncertainty on objectives'. In this definition, uncertainties include events (which may or not happen) and uncertainties caused by a lack of information or ambiguity. This definition also includes both negative and positive impacts on objectives.

Another definition is that risks are future problems that can be avoided or mitigated, rather than current ones that must be immediately addressed.

Risk can be seen as relating to the Probability of uncertain future events. For example, according to Factor Analysis of Information Risk, risk is: the probable frequency and probable magnitude of future loss. In computer science this definition is used by The Open Group.
OHSAS (Occupational Health & Safety Advisory Services) defines risk as the product of the probability of a hazard resulting in an adverse event, times the severity of the event.
In information security risk is defined as "the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization",
Financial risk is often defined as the unexpected variability or volatility of returns and thus includes both potential worse-than-expected as well as better-than-expected returns. References to negative risk below should be read as applying to positive impacts or opportunity (e.g., for "loss" read "loss or gain") unless the context precludes this interpretation.

The related term "hazard" is used to mean something that could cause harm.

As risk carries so many different meanings there are many formal methods used to assess or to "measure" risk. Some of the quantitative definitions of risk are well-grounded in statistics theory and lead naturally to statistical estimates, but some are more subjective. For example in many cases a critical factor is human decision making.

Even when statistical estimates are available, in many cases risk is associated with rare failures of some kind, and data may be sparse. Often, the probability of a negative event is estimated by using the frequency of past similar events or by event tree methods, but probabilities for rare failures may be difficult to estimate if an event tree cannot be formulated. This makes risk assessment difficult in hazardous industries (for example nuclear energy) where the frequency of failures is rare and harmful consequences of failure are very high.

Statistical methods may also require the use of a Cost function, which in turn often requires the calculation of the cost of the loss of human life, a difficult problem. One approach is to ask what people are willing to pay to insure against death, and radiological release (e.g., GBq of radio-iodine), but as the answers depend very strongly on the circumstances it is not clear that this approach is effective.

Mathematical formulations

In statistics, the notion of risk is often modelled as the expected value of some outcome seen as undesirable. This combines the probabilities of various possible events and some assessment of the corresponding harms into a single value. (See also Expected utility.) In a formula that can be used in the simple case of a binary possibility (accident or no accident), risk is then:

\text{Risk} = (\text{probability of the accident occurring}) \times (\text{expected loss in case of the accident})

For example: if activity X may suffer an accident of A at a probability of 0.01 with a loss of 1000, the total risk is a loss of 10, since that is the product of 0.01 and 1 000.

In case of there being several possible accidents, risk is the sum of the all risks for the different accidents, provided that the outcomes are comparable:

\text{Risk} = \sum^{Accidents}((\text{probability of the accident occurring}) \times (\text{expected loss in case of the accident}))

For example: if activity X may suffer an accident of A at a probability of 0.01 with a loss of 1000, and an accident of type B at probability of 0.000 001 at a loss of 2 000 000, the total risk is a loss of 12, that is 10 from accident of types A and 2 from accidents of type B.

One of the first major uses of this concept was at the planning of the Delta Works in 1953, a flood protection program in the Netherlands, with the aid of the mathematician David van Dantzig.[12] The kind of risk analysis pioneered here has become common today in fields like nuclear power, aerospace and the chemical industry.

In statistical decision theory, the risk function is defined as the expected value of a given loss function as a function of the decision rule used to make decisions in the face of uncertainty.