What is Risk?

Risk is the possibility of experiencing harm or loss.

People take risks for a good reason: To profit, to change their lives, to try another approach that is more promising. They take risks in the hope of a favorable outcome.

Sometimes risks have to do with exposure to changes. A change is always a risk. This is the reason we always authorize, test and document changes.

In non-technical contexts, the word risk refers, often rather vaguely, to situations in which it is possible but not certain that some undesirable event will occur.

In technical contexts, the word has several more specialized uses and meanings. Five of these are particularly important since they are widely used across disciplines:

1. Risk is an unwanted event which may or may not occur.

An example of this usage is: "Lung cancer is one of the major risks that affect smokers."

2. Risk is the cause of an unwanted event which may or may not occur.

An example of this usage is: "Smoking is by far the most important health risk in industrialized countries." (The unwanted event implicitly referred to here is a disease caused by smoking.)

3. Risk is the probability of an unwanted event which may or may not occur.

This usage is exemplified by the following statement: "The risk that a smoker's life is shortened by a smoking-related disease is about 50%."

4. Risk is the statistical expectation value of an unwanted event which may or may not occur.

The expectation value of a possible negative event is the product of its probability and some measure of its severity. It is common to use the number of killed persons as a measure of the severity of an accident. With this measure of severity, the risk associated with a potential accident is equal to the statistically expected number of deaths. Other measures of severity give rise to other measures of risk.

Although expectation values have been calculated since the 17th century, the use of the term "risk" in this sense is relatively new. Today it is the standard technical meaning of the term "risk" in many disciplines. It is regarded by some risk analysts as the only correct usage of the term.

5. Risk is the fact that a decision is made under conditions of known probabilities ("decision under risk" as opposed to "decision under uncertainty").

In a corporate or in a military environment, risk is a measure of future uncertainties in achieving performance goals and objectives within defined cost, schedule and performance constraints.

Risk can be associated with all aspects of a program (e.g., threat, technology maturity, supplier capability, design maturation, performance against plan).

Risk addresses the potential variation in the planned approach and its expected outcome. Such variation could include positive as well as negative effects.

There are many different types of risks.

All investments, for example, involve some degree of risk. In finance, risk refers to the degree of uncertainty and/or potential financial loss inherent in an investment decision.

In general, as investment risks rise, investors seek higher returns to compensate themselves for taking such risks. With a stock, you are purchasing a piece of ownership in a company. With a bond, you are loaning money to a company. Returns from both of these investments require that that the company stays in business. If a company goes bankrupt and its assets are liquidated, common stockholders are the last in line to share in the proceeds. If there are assets, the company's bondholders will be paid first, then holders of preferred stock. If you are a common stockholder, you get whatever is left, which may be nothing.

---

Risk as a term in law

In its legal dimension, risk is a normative construct. In simple words, it means it establishes standards, duties, and expectations that guide and evaluate conduct.

Over time, law and governance transformed risk as a probability to risk as an obligation. Once risk is recognized, it creates a duty to act. To prevent harm, to mitigate exposure, to inform stakeholders, to design safeguards.

Supervisory authorities do not attempt to dictate every step of risk management. They require organizations to build internal systems capable of identifying and managing risks on their own.

This places the responsibility for interpretation and application on the regulated entity itself. It must decide what the relevant risks are, how serious they are, and what controls are proportionate. The supervisor then judges whether those decisions were reasonable and documented.

Treating risk as a normative construct has legal consequences. It shifts liability from the occurrence of harm to the management of the possibility of harm. In this construct, a company or executive may be held accountable not for what happened, but for how they were prepared for what could happen.

Where earlier law sought to punish wrongdoing after the fact, modern risk-based law shapes behavior before harm occurs. It does so by making prudence a legal requirement and foresight a condition of legitimacy.

In classical Roman law, the idea of periculum (danger or peril) referred to exposure to harm, but it lacked the probabilistic nature of modern risk. Liability was the result of dolus (intent) or culpa (negligence), not of probabilistic management. The concept of risk as a quantifiable and governable condition emerged much later, to answer the needs of maritime insurance, actuarial mathematics, and industrial regulation. By the nineteenth century, risk had become a unit of legal calculation, allowing obligations to be priced, shared, and transferred.

Twentieth century law transformed risk again, from a transactional concept to a regulatory principle. As societies became technologically complex, the potential for catastrophic low probability harms (high impact low likelihood harms are the most difficult to prepare and the most dangerous), demanded legal frameworks that could address the anticipation of damage rather than its aftermath.

Nuclear safety, environmental protection, and financial stability all required rules not for the compensation of victims but for the governance of uncertainty. This need led to the development of the risk-based approach.

Today, risk quantifies uncertainty but also defines duty. It measures exposure, but also the diligence of those responsible for its management.

---

Important risks

Emerging risk. It is the risk arising from new or evolving factors, whose potential impact, likelihood, and interdependencies are not yet fully understood or quantifiable, but which may materially affect an organization’s objectives, operations, or regulatory obligations once manifested.

Emerging risk is something we already see developing, like quantum computing. Frontier risk is something on the edge of current understanding, where there are no rules, data, or experience to guide us. For example, human–AI integration.

To learn more about Emerging Risk you may visit: https://www.risk-officer.com/Emerging_Risk.htm

Frontier risk. It is the risk arising from technological, geopolitical, environmental, or societal developments for which no established regulatory frameworks, historical data, or proven risk management practices yet exist, and which may have significant legal, operational, or strategic implications once materialized.

To learn more about Frontier Risk you may visit: https://www.risk-officer.com/Frontier_Risk.htm

Hybrid risk. It is the exposure that arises when multiple, distinct, and traditionally compartmentalized categories of risk, including cyber, legal, informational, financial, operational, reputational, and geopolitical, are synchronized to produce cumulative or systemic adverse effects on an organization and its operations.

To learn more about Hybrid Risk you may visit: https://www.risk-officer.com/Hybrid_Risk.htm

Cognitive risk. It is the risk of a degradation, distortion, or manipulation of human or institutional cognition that results in defective judgment and decision-making. It arises where mental processes essential to the formation of intent, the exercise of due care, or the discharge of legal and fiduciary duties are influenced by external interventions, including deception, disinformation, algorithmic bias, or cognitive overload.

To learn more about Cognitive Risk you may visit: https://www.risk-officer.com/Cognitive_Risk.htm

Credit risk. According to the Basel III framework, credit risk is defined as the potential that a bank borrower or counterparty will fail to meet its obligations in accordance with agreed terms. The goal of credit risk management is to maximise a bank’s risk-adjusted rate of return by maintaining credit risk exposure within acceptable parameters. Banks need to manage the credit risk inherent in the entire portfolio as well as the risk in individual credits or transactions.

To learn more about Credit Risk you may visit: https://www.risk-officer.com/Credit_Risk.htm

Market risk. It arises from changes in market rates or prices (i.e. interest rates, foreign exchange rates, equity, commodity and property prices) or from inaccuracies in accounting for these risks.

According to the Basel III framework, market risk is defined as the risk of losses in on and off-balance-sheet positions arising from movements in market prices. The risks subject to this requirement are:

(1) The risks pertaining to interest rate related instruments and equities in the trading book;

(2) Foreign exchange risk and commodities risk throughout the bank.

To learn more about Market Risk you may visit: https://www.risk-officer.com/Market_Risk.htm

Operational risk. It arises from breakdowns or deficiencies in internal processes, technology failures, human errors, fraud and natural disasters.

According to the Basel III framework, operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.

Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements.

To learn more about Operational Risk you may visit: https://www.risk-officer.com/Operational_Risk.htm

Compliance risk. It is the risk resulting from the failure to comply with laws (legislation, regulations and rules) and regulatory guidance, and the failure to appropriately address associated impact, including to customers. Compliance risk encompasses violations of applicable internal policies, program requirements, procedures, and standards.

To learn more about Compliance Risk you may visit: https://www.chief-compliance-officer.org/Compliance_Risk.html

Cyber Risk. It is the risk of loss from dependence on computer systems and digital technologies. It includes financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions from the unauthorized access, use, disclosure, disruption, modification, or destruction of systems.

To learn more about Cyber Risk you may visit: https://www.risk-officer.com/Cyber_Risk.htm

Systemic risk. It is the risk of experiencing events or conditions that affect a number of systemically important intermediaries or markets (including potentially related infrastructures).

Systemic financial risk is the risk that an event will trigger a loss of economic value or confidence in a substantial portion of an industry, that has significant adverse effects on the real economy.

Systemic risk events can be sudden and unexpected, or the likelihood of their occurrence can build up through time in the absence of appropriate policy responses.

To learn more about Systemic Risk you may visit: https://www.risk-officer.com/Systemic_Risk.htm

Political risk. It is the risk that business could suffer because of instability or political changes in a country, conflicts, unrest, changes in regimes or governments, changes in relations between countries, and changes in a country's policies, business laws or investment regulations.

To learn more about Political Risk you may visit: https://www.risk-officer.com/Political_Risk.htm

Strategic risk. It is the risk to earnings, capital, or liquidity arising from adverse business decisions, improper implementation of strategic initiatives, or inadequate responses to changes in the external operating environment.

To learn more about Strategic Risk you may visit: https://www.risk-officer.com/Strategic_Risk.htm

Conduct Risk. The impact of poor business conduct has attracted more attention in recent years from regulators, supervisors, customers and all stakeholders. Fair customer treatment and the poor conduct of business affect individual customers and sectors as a whole, as they even give rise to systemic risks.

Significant market conduct failures can materially affect the confidence in particular products or sectors as whole. Risk management frameworks often focus on internal controls and financial soundness risks to the entity itself, and there is less emphasis on risks posed to the customers. Where firms and organizations do not embed a culture of fair treatment of customers within their governance frameworks and business processes, there is a high risk of poor customer outcomes that leads to reputation risk too.

To learn more about Conduct Risk you may visit: https://www.risk-officer.com/Conduct_Risk.htm

Reputation risk. It is the risk arising from the potential that negative stakeholder opinion or negative publicity regarding business practices, whether true or not, will adversely impact current or projected financial conditions and resilience, cause a decline in the customer base, or result in costly litigation. Stakeholders include employees, customers, communities, shareholders, regulators, elected officials, advocacy groups, and media organizations.

To learn more about Reputation Risk you may visit: https://www.risk-officer.com/Reputation_Risk.htm

Liquidity risk. In the ordinary course of business, firms enter into contractual obligations that may require future cash payments, including funding for customer loan requests, customer deposit maturities and withdrawals, debt service, leases for premises and equipment, and other cash commitments. The objective of effective liquidity management is to ensure that firms can meet their contractual obligations and other cash commitments efficiently under both normal operating conditions and under periods of market stress. To help achieve this objective, Boards must establish liquidity guidelines that require sufficient asset-based liquidity to cover potential funding requirements, and to avoid over-dependence on volatile, less reliable funding markets.

To learn more about Liquidity Risk you may visit: https://www.risk-officer.com/Liquidity_Risk.htm

Climate risk. Climate change is affecting every country on every continent, and it is disrupting national economies and business. Weather patterns are changing, sea levels are rising, and weather events are becoming more extreme.

Firms and organizations around the world understand the ways the changing climate might affect their business, and build a comprehensive climate risk management framework that combines strategies and measures aimed at reducing climate risks and addressing the increasing impacts of climate change.

To learn more about Climate Risk you may visit: https://www.risk-officer.com/Climate_Risk.htm

Emerging risks. These are new risks that may challenge us in the future. These risks have the potential to crystallise at some point in the future, but are unlikely to impact our business during the next year.

The outcome of such risks is often more uncertain. They may begin to evolve rapidly or simply not materialise. Firms must monitor their business activities and external and internal environments for new, emerging and changing risks to ensure these are managed appropriately.

To learn more about Emerging Risk you may visit: https://www.risk-officer.com/Emerging_Risk.htm

Some insurance and reinsurance related risks:

Longevity risk. It is the risk that individuals live longer than expected. It creates challenges, not only for the individual who needs an income for a period longer than expected after retirement, but also for the government, defined benefit retirement funds and life insurers who face retirement-related liabilities that increase as a result of improved life expectancy.

Longevity is the result of a complex interaction of various factors such as increased prosperity, healthier lifestyle, better education and progress in disease diagnostics and medical treatment, to mention a few.

Mortality risk is the risk of loss, or of adverse change in the value of insurance liabilities, resulting from changes in the level, trend, or volatility of mortality rates, where an increase in the mortality rate leads to an increase in the value of insurance liabilities.

Disability – Morbidity risk is the risk of loss, or of adverse change in the value of insurance liabilities, resulting from changes in the level, trend or volatility of disability, sickness and morbidity rates.

Life-expense risk is the risk of loss, or of adverse change in the value of insurance liabilities, resulting from changes in the level, trend, or volatility of the expenses incurred in servicing insurance or reinsurance contracts.

Revision risk is the risk of loss, or of adverse change in the value of insurance liabilities, resulting from fluctuations in the level, trend, or volatility of the revision rates applied to annuities, due to changes in the legal environment or in the state of health of the person insured.

Lapse risk is the risk of loss, or of adverse change in the value of insurance liabilities, resulting from changes in the level or volatility of the rates of policy lapses, terminations, renewals and surrenders.

Life-catastrophe risk is the risk of loss, or of adverse change in the value of insurance liabilities, resulting from the significant uncertainty of pricing and provisioning assumptions related to extreme or irregular events.

Interest rate risk is the risk of the sensitivity to changes of the values of assets, liabilities and financial instruments in the term structure of interest rates, or in the volatility of interest rates.

Equity risk is the risk of the sensitivity to changes of the values of assets, liabilities and financial instruments in the level or in the volatility of market prices of equities.

Property risk is the risk of the sensitivity to changes of the values of assets, liabilities and financial instruments in the level or in the volatility of market prices of real estate.

Spread risk is the risk of the sensitivity to changes of the values of assets, liabilities and financial instruments in the level or in the volatility of credit spreads over the risk-free interest rate term structure.

Currency risk is the risk of the sensitivity to changes of the values of assets, liabilities and financial instruments in the level or in the volatility of currency exchange rates.

Market risk concentrations are additional risks to an insurance or reinsurance undertaking stemming either from lack of diversification in the asset portfolio or from large exposure to default risk by a single issuer of securities or a group of related issuers.

---