Risk

Introduction

Risk is a measure for the expectation of undesirable outcome (impact) to realise. This expectation concerns both the likelihood and magnitude of the undesired outcome. Quantified levels of risk are often used to enable an assessment of risk in order to establish if they fall within acceptable limits or to determine which risks pose the highest threat.

Definitions

There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.

Objective and subjective risk

Risk assessment

Although terminology may vary, two widely accepted elements in the definition of risk are the inclusion of likelihood and magnitude and to a lesser extent, the fact that to arrive at a measure of risk, the two should be multiplied.

A simple, but widely used definition of risk is therefore

Risk = Likelihood of event realizing X Impact (expected loss in case the accident realizes).

Many variations exist, for example by distinguishing between the probability of a threat realizing (also called probability) and the probability that that threat will affect an object (vulnerability). An example would be storm damage: the probability would reflect the likelihood of a storm at the object, the vulnerability would reflect the likelihood that this storm would cause damage and the impact would reflect the extent of damage that would occur if the storm would cause damage. The quantified risk formula associated with this definition is

Risk = Likelihood of event realizing X vulnerability (probability of realized event impacting object) X Impact (expected loss in case the accident realizes and impacting object).

The estimation of likelihood in security

The use of probability relies on the ability to make reliable predictions. This is most often based on the analysis of past occurrences and identification of trends. When determining risk in the field of threats related to human intent, the use of trend analysis to determine likelihood is criticised^[1] for threats actively seeking harm (for example terrorism). This is due to the fact that

• these events occur relatively infrequently, making the recognition of trends difficult;
• in contrast to for instance natural threats, the results of past events does influence the likelihood of future events: potential perpetrators will actively seek ‘the weakest link’. This means that the predicting value of trends in past occurrences is in doubt.