What is Risk?
A common definition of risk is that it is the combination of a specific hazard and the likelihood that the hazard occurs (probability)x(hazard) = risk. That likelihood may be expressed as a rate or a probability. For example, the risk of an aircraft accident (hazard) can be expressed as one accident per million flights (likelihood).
Risk can be objectively defined so that two people can take the same data and come up with a similar result. Risk can be expressed in many ways, so long as it combines a hazard with a likelihood.
The concept of risk exists in aviation, finance, human health, and many other areas. One can use the methods of science, engineering, and math in order to define risks.
People use the terms Risk, Risk Management, Risk Assessment, and Risk Analysis, to describe a wide variety of things. While this may not be a big deal to most, for those who are tasked with performing that work, it can cause confusion and an occasional misunderstanding (due to missed expectations).
While there is some overlap in the actual work that those terms define, (e.g. Risk Management and Risk Assessment both include Risk Analysis) there are differences that are worth pointing out.
First, let’s start with Risk Management. According to the Marquette University Risk Unit, risk management is the continuing process to identify, analyze, evaluate, and treat loss exposures and monitor risk control and financial resources to mitigate the adverse effects of loss.
We typically simplify this a bit and describe it as the Identification, Analysis (or Measurement), Treatment and Monitoring of risk.
According to the Open Group, risk assessment includes processes and technologies that identify, evaluate, and report on risk-related concerns. As stated in NIST 800-30, the risk assessment process is a “key component” of the risk management process.
Using the simplified definition of Risk Management above, it is primarily concerned with the Identification and Analysis phases.
Again referencing the Open Group, risk analysis can be considered the evaluation component of the broader risk assessment process, which determines the significance of the identified risk concerns. Simplifying this a bit, we can think of risk analysis is the actual quantification of risk (i.e. calculating the probability and magnitude of loss).