29 January 2025

In the Jargon Busting series, we take a quick look at some of the key words, ideas and concepts from the world of governance, risk management and compliance, provide a little context, and offer some insights.

This edition of the Jargon Busting Series examines the word “RISK”.

Let’s start at the very beginning

Risk management means different things, at different times, to different people and businesses. There are broad, enterprise-level risks that are incorporated into the executive and board’s strategic discussions. 

Then there are operational risks that relate to the day-to-day running of the business. There are risk management frameworks, risk appetite statements, risk committees, and risk registers.

Back to basics

Sometimes it’s good to go back to basics. What is a “risk”? It seems so simple. It pretty much goes without saying, doesn’t it? We all know what a risk is, don’t we? We deal with them every day - driving to work, boiling a kettle, crossing the road… As children, we understood exactly what a teacher or parent told us when they said that something was risky. It’s just one of those words that means something to us all.

Years ago, I watched a video of the motivational speaker Jim Rohn. He was talking about how life is very risky. Both doing and not doing, it is all risky, in different ways. His words really stuck with me: “I'll tell you how risky life is; you’re not going to make it out alive.”

So with that in mind, what is a risk?!

That’s easy, right?

Yes and no. In a commercial context, the word ‘risk’ is critically important to define. If we don’t define it and agree on what it means within a business and strategic context, everything stemming from it will be built on a shaky foundation. All of the frameworks, processes, policies, and definitions related to risk management rely on a solid understanding of what a risk actually is.

It helps that we are able to identify specific risks within context. But going one step further, and satisfying ourselves that we know what ‘risk’ means, provides a robust frame on which to build everything else. When we are able to confidently define what a risk is, we can then begin to identify, assess, and manage specific risks.

How is “risk” defined around the risk management world?

There are various definitions, although those definitions have common themes. Some of the better-known definitions include:

• Dictionary definitions: The possibility of loss or injury / the possibility of something bad happening.
• ISO31000: An uncertain future outcome that can either improve or worsen an organization’s position; the effect of uncertainty on objectives.
• COSO2017 ERM: The possibility that events will occur and affect the achievement of strategy and business objectives.
• Association of Project Management: Combination of the probability or frequency of occurrence of a defined threat or opportunity and the magnitude of the consequences of the occurrence.
• OCEG: A measure of the negative, unfavorable effect of uncertainty on objectives
• RIMS: Uses ISO31000 above
• IRM: Used the definition from ISO/IEC Guide 73, since replaced by ISO31000 (the previous definition was “the combination of the probability of an event and its consequences”)
• GARP: A measure of how likely it is that an entity will be threatened by a potential event

So, what is a risk?

As you can see from the above definitions, the common themes relate to chance, impact, threat and opportunity. Some of the definitions are focused on the negative (something bad happening) and others focused on the overall potential and significance of a specific event.

A risk, therefore, is not a tangible thing. It is a concept. Risks are simply potential. In a science class, you might remember the difference between potential and kinetic energy. Potential energy is the energy stored in an object, like an elastic band that has been stretched back really far. Kinetic energy is the object’s motion, like when you let go of the elastic band and it flies across the room.

So a risk is the combination of (1) how likely is it for the elastic band to be released + (2) how much damage will the elastic band cause if it is released? In other words, a risk is the combined likelihood and impact of a specific, adverse event happening as it relates to your business objectives.

Check out more blog posts to learn more about how to assess likelihood and impact!