risk [English]


Other Languages

Syndetic Relationships

InterPARES Definition

n. ~ Uncertainty associated with results arising from intentional or unanticipated events, threats, or vulnerabilities, and their impact or probability.

General Notes

The ISO 31000 (2009) standard on risk management changes the previous definition of risk (in ISO Guide 73) from the "chance or probability of loss" to "the effect of uncertainty on objectives", suggesting that risk could have either positive or negative consequences. Risk may have a variety of financial and operational consequences, including mission, functions, image, and reputation.

Other Definitions

  • Black's 9th 2009 (†382 p. 1442): 1. The uncertainty of a result, happening, or loss; the chance of injury, damage, or loss; esp., the existence and extent of the possibility of harm. – 2. Liability for injury, damage, or loss if it occurs. [Ed: Includes narrower aspects, including absorbable risk, assigned risk, classified risk, noninsurable risk, pure risk, shifting risk, and speculative risk.]
  • NIST Risk Management Framework 2010 (†483 p. B-8): A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. ¶ [Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security.]
  • RFC 4949 (†591 s.v. "risk"): 1. (I) An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. (See: residual risk.) – 2. (O) /SET/ "The possibility of loss because of one or more threats to information (not to be confused with financial or business risk)." [SET2]

Citations

  • Classen and McCaw 2012 (†599 p.9): Cloud computing offers many advantages to customers but raises concerns related to maintaining the privacy of the customer’s confidential information. A customer’s confidentiality and data security risks can be managed, however, through careful contract drafting and negotiation. While these risks cannot be completely eliminated, there is no reason not to use cloud computing as the benefits of cloud computing far outweigh the risks associated with a carefully negotiated contract. (†1383)
  • CNSS-4009 (†730 p.61): A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence. Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. (†1744)
  • Das and Teng 2004 (†406 87): The logic of risk, including uncertainty and probability, occupies an important position in defining trust. (†471)
  • Das and Teng 2004 (†406 98-99): In brief, subjective trust and perceived risk can be jointly understood within the rubric of probability estimates and that the two concepts describe probabilities with contrasting mentalities. While subjective trust refers to assessed probability of having desirable action performed by the trustee, perceived risk is assessed probability of not having desirable results. Thus, subjective trust and perceived risk are like mirror images of each other. (†476)
  • Das and Teng 2004 (†406 101): Risk in interfirm cooperation consists of two types – relational risk and performance risk. Using the concepts in interpersonal or interorganizational relationships, relational risk refers to the probability and consequences of a partner not fully committing to a relationship and not acting in the manner expected. Performance risk is defined as the probability and consequences of not achieving the goals in a relationship, given good intentions and efforts of the partner. (†477)
  • Duranti 2013 (†408 ): A risk is defined as the probability that an adverse event will occur multiplied by the impact that such event would have. It is really a question of comparison among available choices: if it is not possible to have all one wishes to have, what is one to give up with the least consequences? (†496)
  • Duranti 2013 (†408 ): The risks involved in the adoption of a Cloud environment for the storage and preservation of our historical documentary memory by far outweigh the benefits, to the point that the association of the idea of historical memory with the idea of Cloud sounds like an oxymoron. (†501)
  • Duranti 2014 (†490 p. 12): A risk is defined as the probability that an adverse event will occur multiplied by the impact that such event would have. It is really a question of comparison among available choices: if it is not possible to have all one wishes to have, what is one to give up with the least consequences? (†746)
  • IRM 2002 (†491 p. 2): Risk can be defined as the combination of the probability of an event and its consequences (ISO/IEC Guide 73). ¶ In all types of undertaking, there is the potential for events and consequences that constitute opportunities for benefit (upside) or threats to success (downside). (†748)
  • ISACA Glossary (†743 s.v. risk): The combination of the probability of an event and its consequence. (ISO/IEC 73) (†1799)
  • ISO 73, 2009 (†456 §1.1): Effect of uncertainty on objectives. ¶Note 1 to entry: An effect is a deviation from the expected – positive and/or negative. ¶Note 2 to entry: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). ¶Note 3 to entry: Risk is often characterized by reference to potential events (3.5.1.3) and consequences (3.6.1.3), or a combination of these. ¶Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (3.6.1.1) of occurrence. ¶Note 5 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. (†637)
  • Ladley 2012 (†589 p.17): There is risk associated with data and content. This risk must be formally recognized, either as a liability or through incurring costs to manage and reduce the inherent risk. (†1193)
  • Law 2011 (†581 s.v. risk): The possibility of suffering damage or loss in the face of uncertainty about the outcome of actions, future events, or circumstances. Organizations are exposed to various types of risk, including damage to property, injury to personnel, financial loss, and legal liability. These may affect profitability, hinder the achievement of objectives, or lead to business interruption or failure. Risk may be deemed high or low, depending on the probability of an adverse outcome. Risks that can be quantified on the basis of past experience are insurable and those that cannot be calculated are uninsurable. (†1122)
  • NIST Framework 2014 (†413 p. 38): A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. (†508)
  • RFC 4949 (†591 s.v. "risk"): Tutorial: There are four basic ways to deal with a risk [SP30]: · "Risk avoidance": Eliminate the risk by either countering the threat or removing the vulnerability. (Compare: "avoidance" under "security".) · "Risk transference": Shift the risk to another system or entity; e.g., buy insurance to compensate for potential loss. · "Risk limitation": Limit the risk by implementing controls that minimize resulting loss. · "Risk assumption": Accept the potential for loss and continue operating the system. (†1354)
  • Wikipedia (†387 s.v. "risk"): Values (such as physical health, social status, emotional well being or financial wealth) can be gained or lost when taking risk resulting from a given action, activity and/or inaction, foreseen or unforeseen. Risk can also be defined as the intentional interaction with uncertainty. Risk perception is the subjective judgment people make about the severity of a risk, and may vary person to person. Any human endeavor carries some risk, but some are much riskier than others. (†633)
  • Wikipedia (†387 s.v. "ISO 31000"): ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions. . . . ¶One of the key paradigm shifts proposed in ISO 31000 is a controversial change in how risk is conceptualised. Under the ISO 31000:2009 and a consequential major revision of the terminology in ISO Guide 73, the definition of "risk" is no longer "chance or probability of loss", but "the effect of uncertainty on objectives" ... thus causing the word "risk" to refer to positive possibilities as well as negative ones. (†634)
  • Wikipedia (†387 s.v. "ISO 31000"): ISO 31000:2009 gives a list on how to deal with risk: · Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk · Accepting or increasing the risk in order to pursue an opportunity · Removing the risk source · Changing the likelihood · Changing the consequences · Sharing the risk with another party or parties (including contracts and risk financing) · Retaining the risk by informed decision (†635)