Risk

This section needs to be updated. The reason given is: ISO 31000. Please help update this article to reflect recent events or newly available information. (September 2025)

The Oxford English Dictionary (OED) cites the earliest use of the word in English (in the spelling of risque from its French original, 'risque') as of 1621, and the spelling as risk from 1655. While including several other definitions, the OED 3rd edition defines risk as "(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility".^[5] The Cambridge Advanced Learner's Dictionary defines risk as "the possibility of something bad happening".^[1] Some have argued that the definition of risk is subjective and context-specific.^[2][6] The International Organization for Standardization (ISO) 31073 defines risk as:^[7][8]

effect of uncertainty^[9] on objectives^[10]

Note 1: An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.^[11]

Note 2: Objectives can have different aspects and categories, and can be applied at different levels.

Note 3: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.

Other general definitions include:

• "Source of harm". The earliest use of the word "risk" was as a synonym for the much older word "hazard", meaning a potential source of harm. This definition comes from Blount's "Glossographia" (1661)^[12] and was the main definition in the OED 1st (1914) and 2nd (1989) editions. Modern equivalents refer to "unwanted events"^[13] or "something bad that might happen".^[1]
• "Chance of harm". This definition comes from Johnson's "Dictionary of the English Language" (1755), and has been widely paraphrased, including "possibility of loss"^[5] or "probability of unwanted events".^[13]
• "Uncertain events affecting objectives". This definition was adopted by the Association for Project Management (1997).^[14][15] With slight rewording it became the definition in ISO Guide 73.^[3]
• "Uncertainty of outcome". This definition was adopted by the UK Cabinet Office (2002)^[16] to encourage innovation to improve public services. It allowed "risk" to describe either "positive opportunity or negative threat of actions and events".
• "Potential returns from an event ['a thing that happens or takes place'], where the returns are any changes, effects, consequences, and so on, of the event". This definition from Newsome (2014) expands the neutrality of 'risk' akin to the UK Cabinet Office (2002) and Knight (1921).^[17]
• "Human interaction with uncertainty". This definition comes from Cline (2015) in the context of adventure education.^[18]

In his seminal 1921 work Risk, Uncertainty, and Profit, Frank Knight established the distinction between risk and uncertainty.

... Uncertainty must be taken in a sense radically distinct from the familiar notion of Risk, from which it has never been properly separated. The term "risk," as loosely used in everyday speech and in economic discussion, really covers two things which, functionally at least, in their causal relations to the phenomena of economic organization, are categorically different. ... The essential fact is that "risk" means in some cases a quantity susceptible of measurement, while at other times it is something distinctly not of this character; and there are far-reaching and crucial differences in the bearings of the phenomenon depending on which of the two is really present and operating. ... It will appear that a measurable uncertainty, or "risk" proper, as we shall use the term, is so far different from an unmeasurable one that it is not in effect an uncertainty at all. We ... accordingly restrict the term "uncertainty" to cases of the non-quantitive type.^[19]

Thus, Knightian uncertainty is immeasurable, not possible to calculate, while in the Knightian sense risk is measurable.

Risk is often considered to be a set of triplets^[31][26]

${\displaystyle {\text{R}}=(s_{i},p_{i},x_{i})}$ for i = 1,2,....,N

where:

${\displaystyle s_{i}}$ is a scenario describing a possible event

${\displaystyle p_{i}}$ is the probability of the scenario

${\displaystyle x_{i}}$ is the consequence of the scenario

${\displaystyle N}$ is the number of scenarios chosen to describe the risk

Risks expressed in this way can be shown in a risk register or a risk matrix. They may be quantitative or qualitative, and can include positive as well as negative consequences.^[40]

An updated version recommends the following general description of risk:^[30]

${\displaystyle R=({A,C,U,P,K})}$

where:

${\displaystyle A}$ is an event that might occur

${\displaystyle C}$ is the consequences of the event

${\displaystyle U}$ is an assessment of uncertainties

${\displaystyle P}$ is a knowledge-based probability of the event

${\displaystyle K}$ is the background knowledge that U and P are based on

If all the consequences are expressed in the same units (or can be converted into a consistent loss function), the risk can be expressed as a probability density function describing the uncertainty about outcome:

${\displaystyle R=p(x)}$

This can also be expressed as a cumulative distribution function (CDF) (or S curve).^[40] One way of highlighting the tail of this distribution is by showing the probability of exceeding given losses, known as a complementary cumulative distribution function, plotted on logarithmic scales. For example, frequency-number diagrams show the annual frequency of exceeding given numbers of fatalities.^[40] Another way of summarizing the size of the distribution's tail is the loss with a certain probability of exceedance, that is, the value at risk.

Risk is often measured as the expected value of the loss. This combines the probabilities and consequences into a single value. See also expected utility. The simplest case is a binary possibility of Accident or No accident. The associated formula for calculating risk is then:

${\displaystyle R=({\text{probability of the accident occurring}})\times ({\text{expected loss in case of the accident}})}$

In a situation with several possible accident scenarios, total risk is the sum of the risks for each scenario, provided that the outcomes are comparable:

${\displaystyle R=\sum _{i=1}^{N}p_{i}x_{i}}$

In statistical decision theory, the risk function is defined as the expected value of a given loss function as a function of the decision rule used to make decisions in the face of uncertainty.

A disadvantage of defining risk as the product of impact and probability is that it presumes, unrealistically, that decision-makers are risk-neutral. A risk-neutral person's utility is proportional to the expected value of the payoff. For example, a risk-neutral person would consider 20% chance of winning $1 million exactly as desirable as getting a certain $200,000. However, most decision-makers are not actually risk-neutral and would not consider these equivalent choices.^[26] Pascal's mugging is a philosophical thought experiment that demonstrates issues in assessing risk solely by the expected value of loss or return.

Risks of discrete events such as accidents are often measured as outcome frequencies, or expected rates of specific loss events per unit time. When small, frequencies are numerically similar to probabilities, but have dimensions of ⁠1/t⁠ and can sum to more than 1. Typical outcomes expressed this way include:^[41]

• Individual risk - the frequency of a given level of harm to an individual.^[42] It often refers to the expected annual probability of death, and is then comparable to the mortality rate.
• Group (or societal risk) – the relationship between the frequency and the number of people suffering harm.^[42]
• Frequencies of property damage or total loss.
• Frequencies of environmental damage such as oil spills.

In finance, volatility is the degree of variation of a trading price over time, usually measured by the standard deviation of logarithmic returns. Modern portfolio theory measures risk using the variance (or standard deviation) of asset prices. The risk is then:

${\displaystyle R=\sigma }$

The beta coefficient measures the volatility of an individual asset to overall market changes. This is the asset's contribution to systematic risk, which cannot be eliminated by portfolio diversification. It is the covariance between the asset's return r_i and the market return r_m, expressed as a fraction of the market variance:^[43]

${\displaystyle \beta _{i}={\frac {\sigma _{im}}{\sigma _{m}^{2}}}={\frac {\mathrm {Cov} (r_{i},r_{m})}{\mathrm {Var} (r_{m})}}}$

In mathematical finance, a risk-neutral measure is a probability measure such that each share price is exactly equal to the discounted expectation of the share price under the measure. This is heavily used in the pricing of financial derivatives due to the fundamental theorem of asset pricing.

Let ${\displaystyle S}$ be a d-dimensional market representing the price processes of the risky assets, ${\displaystyle B}$ the risk-free bond and ${\displaystyle (\Omega ,{\mathcal {F}},P)}$the underlying probability space. Then a measure ${\displaystyle Q}$ is a risk-neutral measure if

1. ${\displaystyle Q\approx P}$, i.e., ${\displaystyle Q}$ is equivalent to ${\displaystyle P}$,
2. the processes ${\displaystyle \left({\frac {S_{t}^{i}}{B_{t}}}\right)_{t}}$ are (local) martingales w.r.t. ${\displaystyle Q}$ ${\displaystyle \forall \,i=1,\dots ,d}$.^[44]

Benoit Mandelbrot distinguished between "mild" and "wild" risk and argued that risk assessment and analysis must be fundamentally different for the two types of risk.^[45] Mild risk follows normal or near-normal probability distributions, is subject to regression to the mean and the law of large numbers, and is therefore relatively predictable. Wild risk follows fat-tailed distributions, e.g., Pareto or power-law distributions, is subject to regression to the tail (infinite mean or variance, rendering the law of large numbers invalid or ineffective), and is therefore difficult or impossible to predict. A common error in risk assessment and analysis is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and analysis are to be valid and reliable, according to Mandelbrot.

• Proxy or analogue data from other contexts, presumed to be similar in some aspects of risk.
• Theoretical models, such as Monte Carlo simulation and Quantitative risk assessment software.
• Logical models, such as Bayesian networks, fault tree analysis and event tree analysis
• Expert judgement, such as absolute probability judgement or the Delphi method.

Risk management is the set of actions that organisations take to avoid and mitigate downside risks,^[46][3] taking into account factors such as the possibility of upside risk opportunities,^[47] innovation,^[48] the environment, safety,^[49] scientific evidence, culture, politics, and law.^[46] Risk management operates at the strategic, operational, and individual level,^[4] and may form part of an overarching governance, risk, and compliance strategy. It comprises the assessment of risk as regards an organisation's objectives and strategies, as well as risk mitigation options, such as risk transformation, risk transfer, risk avoidance, risk reduction, and risk retention.^[50]

Risk assessment is a systematic approach to recognising and characterising risks, and evaluating their significance, in order to support decisions about how to manage them. ISO 31000 defines it in terms of its components as "the overall process of risk identification, risk analysis and risk evaluation":^[4]

• Risk identification is "the process of finding, recognizing and recording risks". It "involves the identification of risk sources, events, their causes and their potential consequences."^[3] ISO 31000 describes it as the first step in a risk assessment process, preceding risk analysis and risk evaluation.^[4] In safety contexts, where risk sources are known as hazards, this step is known as "hazard identification".^[51]
• The ISO defines risk analysis as "the process to comprehend the nature of risk and to determine the level of risk".^[3] In the ISO 31000 risk assessment process, risk analysis follows risk identification and precedes risk evaluation.^[40] Risk analysis often uses data on the probabilities and consequences of previous events.
• Risk evaluation involves comparing estimated levels of risk against risk criteria to determine the significance of the risk and make decisions about risk treatment actions.^[40] In most activities, risks can be reduced by adding further controls or other treatment options, but typically this increases cost or inconvenience. It is rarely possible to eliminate risks altogether without discontinuing the activity. Sometimes it is desirable to increase risks to secure valued benefits. Risk criteria are intended to guide decisions on these issues.^[52]

For example, the tolerability of risk framework, developed by the UK Health and Safety Executive, divides risks into three bands:^[53]

• Unacceptable risks – only permitted in exceptional circumstances.
• Tolerable risks – to be kept as low as reasonably practicable (ALARP), taking into account the costs and benefits of further risk reduction.
• Broadly acceptable risks – not normally requiring further reduction.

The terms risk appetite, attitude, and tolerance are often used similarly to describe an organisation's or individual's attitude towards risk-taking. One's attitude may be described as risk-averse, risk-neutral, or risk-seeking.^[54]

• Risk transformation describes the process of not only mitigating risks but also employing risk factors into advantages.^[55]
• Risk transfer is the shifting of risks from one party to another, typically an insurer.^[56]

Risk perception is the subjective judgement that people make about the characteristics and severity of a risk. At its most basic, the perception of risk is an intuitive form of risk analysis.^[57]

Adults have an intuitive understanding of risk, which may not be exclusive to humans.^[58] Many ancient societies believed in divinely determined fates, and attempts to influence the gods can be seen as early forms of risk management. Early uses of the word 'risk' coincided with an erosion of belief in divinely ordained fate.^[59] Notwithstanding, intuitive perceptions of risk are often inaccurate owing to reliance on psychological heuristics, which are subject to systematic cognitive biases.^[60] In particular, the accuracy of risk perception can be adversely affected by the affect heuristic, which relies on emotion to make decisions.^[61][62]

The availability heuristic is the process of judging the probability of an event by the ease with which instances come to mind. In general, rare but dramatic causes of death are over-estimated while common unspectacular causes are under-estimated;^[63] an "availability cascade" is a self-reinforcing cycle in which public concern about relatively minor events is amplified by media coverage until the issue becomes politically important.^[64] Despite the difficulty of thinking statistically, people are typically subject to the overconfidence effect in their judgements, tending to overestimate their understanding of the world and underestimate the role of chance,^[65] with even experts subject to this effect.^[66] Other biases that affect the perception of risk include ambiguity aversion.

Paul Slovic's "psychometric paradigm" assumes that risk is subjectively defined by individuals, influenced by factors such as lack of control, catastrophic potential, and severity of consequences, such that risk perception can be psychometrically measured by surveys.^[67][68][69] Slovic argues that intuitive emotional reactions are the predominant method by which humans evaluate risk, and that a purely statistical approach to disasters lacks emotion and thus fails to convey the true meaning of disasters and fails to motivate proper action to prevent them.^[70] This theory has received support from retrospective studies and evolutionary psychology.^{[71][72][73][74][75][76]} Hazards with high perceived risk are therefore, in general, seen as less acceptable and more in need of reduction.^[77]

Cultural theory of risk views risk perception as a collective phenomenon by which different cultures select some risks for attention and ignore others, with the aim of maintaining their particular way of life.^[78] Hence risk perception varies according to the preoccupations of the culture. The theory outlines two categories, the degree of binding to social groups, the degree of social regulation.^[79] Cultural theory can be used to explain why it can be difficult for people with different world-views to agree about whether a hazard is acceptable, and why risk assessments may be more persuasive for some people than others. However, there is little quantitative evidence that shows cultural biases are strongly predictive of risk perception.^[80]

In decision theory, regret (and anticipation of regret) can play a significant part in decision-making, distinct from risk aversion.^[81][82] Framing is also a fundamental problem with all forms of risk assessment.^[83] In particular, because of bounded rationality, the risk of extreme events is discounted because the probability is too low to evaluate intuitively. As an example, one of the leading causes of death is road accidents caused by drunk driving – partly because any given driver frames the problem by largely or totally ignoring the risk of a serious or fatal accident. The right prefrontal cortex has been shown to take a more global perspective,^[84] while greater left prefrontal activity relates to local or focal processing.^[85][86][87] Reference class forecasting is a forecasting method by which biases associated with risks can be mitigated.

Psychologists have run randomised experiments with a treatment and control group to ascertain the effect of different psychological factors that may be associated with risk taking,^[88] finding that positive and negative feedback about past risk taking can affect future risk taking. For example, one experiment showed that belief in competence correlated with risk-taking behavior.^[89] Risk compensation is a theory that suggests that people typically adjust their behavior in response to the perceived level of risk, becoming more careful where they sense greater risk and less careful if they feel more protected.^[90] People also show risk aversion, such that they reject fair risky offers because of the perception of loss.^[91][92] Further, intuitive responses have been found to be less risk-averse than subsequent reflective response.^[93]

The experience of many people who rely on human services for support is that 'risk' is often used as a reason to prevent them from gaining further independence or fully accessing the community, and that these services are often unnecessarily risk averse.^[98] "People's autonomy used to be compromised by institution walls, now it's too often our risk management practices", according to John O'Brien.^[99] Michael Fischer and Ewan Ferlie (2013) find that contradictions between formal risk controls and the role of subjective factors in human services (such as the role of emotions and ideology) can undermine service values, so producing tensions and even intractable and 'heated' conflict.^[100]

Anthony Giddens and Ulrich Beck argued that whilst humans have always been subjected to a level of risk – such as natural disasters – these have usually been perceived as produced by non-human forces. Modern societies, however, are exposed to risks such as pollution, that are the result of the modernization process itself. Giddens defines these two types of risks as external risks and manufactured risks.^[101] The term Risk society was coined in the 1980s and its popularity during the 1990s was both as a consequence of its links to trends in thinking about wider modernity, and also to its links to popular discourse, in particular the growing environmental concerns during the period.