Foundation Series: Deconstructing Risk
Moving beyond intuition and defining risk
Everyone possesses an intuitive understanding of risk, often associating it with danger or potential harm. Even my toddler can anticipate risk - despite being unable to articulate it properly yet. In this article I would like to go beyond this intuitive understanding and level-set on what risk is and its associated characteristics.
Many formal definitions of risk exist; as such I think it is important to put this article in the context of financial services, although I think the definition is transferable to many other fields. Having a common language and understanding amongst stakeholders is just so important: the words we use matter!
A formal definition allows us to treat risks systematically and consistently through the Risk Management Life Cycle (RMLC), which coordinates the activities that are necessary to proactively manage risk. Hence, a risk definition is a critical prerequisite for risk governance as it provides the foundation upon which accountability, transparency, and oversight are carried out.
Let us consider a few definitions of risk:
risk is effect of uncertainty on objectives
An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.
Objectives can have different aspects and categories, and can be applied at different levels.
Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.
-ISO 31000:2018
What I like about this definition is the negative, positive or combined impact a risk can have. I also like the fact that it takes some underlying characteristics into consideration such as source, potential event, consequence and likelihood. On the other hand, this is also something that makes this definition quite convoluted to understand as each of those terms have their own definitions that are at least a paragraph long. Let’s consider another definition:
From a supervisory perspective, risk is the potential that events will have an adverse effect on a bank’s current or projected financial condition* and resilience**.
* Financial condition includes impacts from diminished capital and liquidity. Capital in this context includes potential impacts from losses, reduced earnings, and market value of equity.
** Resilience recognizes the bank’s ability to withstand periods of stress.
-OCC
What I like about this definition is its straight-forward nature, however, it is also too specific by only focusing on the downside and narrowing the impacts to be capital, liquidity, and resilience.
In both these cases the definition feels technical and rather contextualized to (a) pursuit of objectives and (2) supervision. I would like to propose something that is more agnostic and simpler.
My definition of risk
I would like to frame risk in a more fundamental way by leaning on essentially: likelihood and impact:
Risk is a function of the likelihood of a risk event occurring and the magnitude of its potential impact.
I like the simplicity of this definition and its universal nature. That being said, I also think it is important to mention certain associated characteristics to more fully consider risk (further down below). I will also admit that, as a risk manager, I spend most of my time being concerned with the downside, nonetheless it is important to be aware of the upside too.
Visually I think of it as illustrated in figure 1, where each individual risk can be plotted against these two axes:
Associated characteristics of risk:
Direction of risk: Indicates whether the risk exposure is increasing, stable, or decreasing over time.
Threat Volatility: The frequency and intensity with which a risk’s underlying threat landscape evolves, potentially outpacing existing controls or risk understanding.
Velocity: the speed at which a risk event can materialize and impact the organization once triggered.
Interdependence: the degree of dependence or contagion between different risks.
In summary
Defining risk with precision is more than a theoretical exercise - it is the foundation of effective governance and decision-making. By establishing a shared understanding of what risk is and how it behaves, organizations can assess exposures consistently and manage them proactively through the Risk Management Life Cycle. Incorporating characteristics such as direction, velocity, interdependence, and threat volatility enhances this understanding, ensuring that risk management remains responsive to a rapidly changing environment.
If you are looking for practical templates and governance resources, you can find them in the Polisight Store.