In simple terms, risk is the possibility of something bad happening.^[1] Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences.^[2] Many different definitions have been proposed. The international standard definition of risk for common understanding in different applications is "effect of uncertainty on objectives".^[3]

The understanding of risk, the methods of assessment and management, the descriptions of risk and even the definitions of risk differ in different practice areas (business, economics, environment, finance, information technology, health, insurance, safety, security etc). This article provides links to more detailed articles on these areas. The international standard for risk management, ISO 31000, provides principles and general guidelines on managing risks faced by organizations.^[4]

Definitions of risk

Oxford English Dictionary

The Oxford English Dictionary (OED) cites the earliest use of the word in English (in the spelling of risque from its French original, 'risque') as of 1621, and the spelling as risk from 1655. While including several other definitions, the OED 3rd edition defines risk as:

(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.^[5]

The Cambridge Advanced Learner's Dictionary gives a simple summary, defining risk as "the possibility of something bad happening".^[1]

International Organization for Standardization

The International Organization for Standardization (ISO) Guide 73 provides basic vocabulary to develop common understanding on risk management concepts and terms across different applications. ISO Guide 73:2009 defines risk as:

effect of uncertainty on objectives

Note 1: An effect is a deviation from the expected – positive or negative.

Note 2: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).

Note 3: Risk is often characterized by reference to potential events and consequences or a combination of these.

Note 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.

Note 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.^[3]

This definition was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts. It was first adopted in 2002. Its complexity reflects the difficulty of satisfying fields that use the term risk, in different ways. Some restrict the term to negative impacts ("downside risks"), while others also include positive impacts ("upside risks").

ISO 31000:2018 "Risk management — Guidelines" uses the same definition with a simpler set of notes.^[4]

Other

• "Source of harm". The earliest use of the word "risk" was as a synonym for the much older word "hazard", meaning a potential source of harm. This definition comes from Blount's "Glossographia" (1661)^[6] and was the main definition in the OED 1st (1914) and 2nd (1989) editions. Modern equivalents refer to "unwanted events"^[7] or "something bad that might happen".^[1]

• "Chance of harm". This definition comes from Johnson's "Dictionary of the English Language" (1755), and has been widely paraphrased, including "possibility of loss"^[5] or "probability of unwanted events".^[7]

• "Uncertainty about loss". This definition comes from Willett's "Economic Theory of Risk and Insurance" (1901).^[8] This links "risk" to "uncertainty", which is a broader term than chance or probability.

• "Measurable uncertainty". This definition comes from Knight's "Risk, Uncertainty and Profit" (1921).^[9] It allows "risk" to be used equally for positive and negative outcomes. In insurance, risk involves situations with unknown outcomes but known probability distributions.^[10]

• "Volatility of return". Equivalence between risk and variance of return was first identified in Markovitz's "Portfolio Selection" (1952).^[11] In finance, volatility of return is often equated to risk.^[12]

• "Statistically expected loss". The expected value of loss was used to define risk by Wald (1939) in what is now known as decision theory.^[13] The probability of an event multiplied by its magnitude was proposed as a definition of risk for the planning of the Delta Works in 1953, a flood protection program in the Netherlands.^[14] It was adopted by the US Nuclear Regulatory Commission (1975),^[15] and remains widely used.^[7]

• "Likelihood and severity of events". The "triplet" definition of risk as "scenarios, probabilities and consequences" was proposed by Kaplan & Garrick (1981).^[16] Many definitions refer to the likelihood/probability of events/effects/losses of different severity/consequence, e.g. ISO Guide 73 Note 4.^[3]

• "Consequences and associated uncertainty". This was proposed by Kaplan & Garrick (1981).^[16] This definition is preferred in Bayesian analysis, which sees risk as the combination of events and uncertainties about them.^[17]

• "Uncertain events affecting objectives". This definition was adopted by the Association for Project Management (1997).^[18][19] With slight rewording it became the definition in ISO Guide 73.^[3]

• "Uncertainty of outcome". This definition was adopted by the UK Cabinet Office (2002)^[20] to encourage innovation to improve public services. It allowed "risk" to describe either "positive opportunity or negative threat of actions and events".

• "Asset, threat and vulnerability". This definition comes from the Threat Analysis Group (2010) in the context of computer security.^[21]

• "Human interaction with uncertainty". This definition comes from Cline (2015)^[22] in the context of adventure education.

• "Potential returns from an event , where the returns are any changes, effects, consequences, and so on, of the event". This definition from Newsome (2014) expands the neutrality of 'risk' akin to the UK Cabinet Office (2002) and Knight (1921).^[23]

Some resolve these differences by arguing that the definition of risk is subjective. For example:

No definition is advanced as the correct one, because there is no one definition that is suitable for all problems. Rather, the choice of definition is a political one, expressing someone's views regarding the importance of different adverse effects in a particular situation.^[24]

The Society for Risk Analysis concludes that "experience has shown that to agree on one unified set of definitions is not realistic". The solution is "to allow for different perspectives on fundamental concepts and make a distinction between overall qualitative definitions and their associated measurements."^[2]

Practice areas

The understanding of risk, the common methods of management, the measurements of risk and even the definition of risk differ in different practice areas. This section provides links to more detailed articles on these areas.

Business risk

Business risks arise from uncertainty about the profit of a commercial business^[25] due to unwanted events such as changes in tastes, changing preferences of consumers, strikes, increased competition, changes in government policy, obsolescence etc.

Business risks are controlled using techniques of risk management. In many cases they may be managed by intuitive steps to prevent or mitigate risks, by following regulations or standards of good practice, or by insurance. Enterprise risk management includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.

See Also

Financial risk management § Corporate finance.

Economic risk

Economics is concerned with the production, distribution and consumption of goods and services. Economic risk arises from uncertainty about economic outcomes. For example, economic risk may be the chance that macroeconomic conditions like exchange rates, government regulation, or political stability will affect an investment or a company's prospects.^[26]

In economics, as in finance, risk is often defined as quantifiable uncertainty about gains and losses.

Environmental risk

Environmental risk arises from environmental hazards or environmental issues.

In the environmental context, risk is defined as "The chance of harmful effects to human health or to ecological systems".^[27]

Environmental risk assessment aims to assess the effects of stressors, often chemicals, on the local environment.^[28]

Financial risk

Finance is concerned with money management and acquiring funds.^[29] Financial risk arises from uncertainty about financial returns. It includes market risk, credit risk, liquidity risk and operational risk.

In finance, risk is the possibility that the actual return on an investment will be different from its expected return.^[30] This includes not only "downside risk" (returns below expectations, including the possibility of losing some or all of the original investment) but also "upside risk" (returns that exceed expectations). In Knight's definition, risk is often defined as quantifiable uncertainty about gains and losses. This contrasts with Knightian uncertainty, which cannot be quantified.

Financial risk modeling determines the aggregate risk in a financial portfolio. Modern portfolio theory measures risk using the variance (or standard deviation) of asset prices. More recent risk measures include value at risk.

Because investors are generally risk averse, investments with greater inherent risk must promise higher expected returns.^[31]

Financial risk management uses financial instruments to manage exposure to risk. It includes the use of a hedge to offset risks by adopting a position in an opposing market or investment.

In financial audit, audit risk refers to the potential that an audit report may fail to detect material misstatement either due to error or fraud.

Health risk

Health risks arise from disease and other biological hazards.

Epidemiology is the study and analysis of the distribution, patterns and determinants of health and disease. It is a cornerstone of public health, and shapes policy decisions by identifying risk factors for disease and targets for preventive healthcare.

In the context of public health, risk assessment is the process of characterizing the nature and likelihood of a harmful effect to individuals or populations from certain human activities. Health risk assessment can be mostly qualitative or can include statistical estimates of probabilities for specific populations.

A health risk assessment (also referred to as a health risk appraisal and health & well-being assessment) is a questionnaire screening tool, used to provide individuals with an evaluation of their health risks and quality of life.

Health, safety, and environment risks

Health, safety, and environment (HSE) are separate practice areas; however, they are often linked. The reason is typically to do with organizational management structures; however, there are strong links among these disciplines. One of the strongest links is that a single risk event may have impacts in all three areas, albeit over differing timescales. For example, the uncontrolled release of radiation or a toxic chemical may have immediate short-term safety consequences, more protracted health impacts, and much longer-term environmental impacts. Events such as Chernobyl, for example, caused immediate deaths, and in the longer term, deaths from cancers, and left a lasting environmental impact leading to birth defects, impacts on wildlife, etc.

Information technology risk

Information technology (IT) is the use of computers to store, retrieve, transmit, and manipulate data. IT risk (or cyber risk) arises from the potential that a threat may exploit a vulnerability to breach security and cause harm. IT risk management applies risk management methods to IT to manage IT risks. Computer security is the protection of IT systems by managing IT risks.

Information security is the practice of protecting information by mitigating information risks. While IT risk is narrowly focused on computer security, information risks extend to other forms of information (paper, microfilm).

Insurance risk

Insurance is a risk treatment option which involves risk sharing. It can be considered as a form of contingent capital and is akin to purchasing an option in which the buyer pays a small premium to be protected from a potential large loss.

Insurance risk is often taken by insurance companies, who then bear a pool of risks including market risk, credit risk, operational risk, interest rate risk, mortality risk, longevity risks, etc.^[32]

The term "risk" has a long history in insurance and has acquired several specialised definitions, including "the subject-matter of an insurance contract", "an insured peril" as well as the more common "possibility of an event occurring which causes injury or loss".^[33]

Occupational risk

Occupational health and safety is concerned with occupational hazards experienced in the workplace.

The Occupational Health and Safety Assessment Series (OHSAS) standard OHSAS 18001 in 1999 defined risk as the "combination of the likelihood and consequence(s) of a specified hazardous event occurring". In 2018 this was replaced by ISO 45001 "Occupational health and safety management systems", which use the ISO Guide 73 definition.

Project risk

A project is an individual or collaborative undertaking planned to achieve a specific aim. Project risk is defined as, "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives". Project risk management aims to increase the likelihood and impact of positive events and decrease the likelihood and impact of negative events in the project.^[34][35]

Safety risk

Safety is concerned with a variety of hazards that may result in accidents causing harm to people, property and the environment. In the safety field, risk is typically defined as the "likelihood and severity of hazardous events". Safety risks are controlled using techniques of risk management.

A high reliability organisation (HRO) involves complex operations in environments where catastrophic accidents could occur. Examples include aircraft carriers, air traffic control, aerospace and nuclear power stations. Some HROs manage risk in a highly quantified way. The technique is usually referred to as probabilistic risk assessment (PRA). See WASH-1400 for an example of this approach. The incidence rate can also be reduced due to the provision of better occupational health and safety programmes.^[36]

Security risk

Security is freedom from, or resilience against, potential harm caused by others.

A security risk is "any event that could result in the compromise of organizational assets i.e. the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities."^[37]

Security risk management involves protection of assets from harm caused by deliberate acts.

Assessment and management of risk

Risk management

Risk is ubiquitous in all areas of life and we all manage these risks, consciously or intuitively, whether we are managing a large organization or simply crossing the road. Intuitive risk management is addressed under the psychology of risk below.

Risk management refers to a systematic approach to managing risks, and sometimes to the profession that does this. A general definition is that risk management consists of "coordinated activities to direct and control an organization with regard to risk".^[3] Zdroj:https://en.wikipedia.org?pojem=Security_risk
Text je dostupný za podmienok Creative Commons Attribution/Share-Alike License 3.0 Unported; prípadne za ďalších podmienok. Podrobnejšie informácie nájdete na stránke Podmienky použitia.