What is risk?

What is risk, and how can it be expressed? Should risk be defined through probabilities or should risk be defined through uncertainties? That is what Eyvind Aven and Terje Aven are attempting to explain in their paper On how to understand and express enterprise risk. In the paper, they claim that different international standards, such as the AS/NZS 3460 Risk Management Standard, the COSO ERM framework and the ISO 31000 Risk Management Standard do not provide adequate guidance on these issues and lack the necessary precision. Thus, they establish their own framework, where risk has two main components, namely 1) the impact of events and consequences (outcomes), and  2) the associated uncertainties (probabilities).

Familiar trains of thought

Terje Aven is perhaps one of Norway’s most prominent risk researchers, with more than 130 publications on risk-related issues, and in this article he picks up familiar thoughts and threads from papers previously reviewed on this blog, first and foremost perhaps his article from 2010 on how to define and describe risk, and also his 2007 paper that contained a framework for unifying risk and vulnerability, where uncertainty is a major part of the equation, just as it is here.

Three different perspectives

The paper starts off by comparing three definitions of risk:

1) AS/NZS 4360

Risk is the possibility of something happening that impacts on your objectives. It is the chance to either make a gain or a loss. It is measured in terms of likelihood and consequence


Risk is the possibility that an event will occur that adversely affects the achievement of objectives. Risk is described by likelihood and impact.

3) ISO 31000

Risk is the effect of uncertainty on objectives. An effect is a deviation from the expected (positive or negative). Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence.

and looks at how these definitions are different from each other and what this entails for the understanding of risk.

What makes them different?

The paper makes a major point in highlighting that these definitions are perhaps not contradictory, but nonetheless slightly inconsistent:

  • all refer to objectives as a point against which risk is measured
  • AS/NZS and COSO refer to probabilities or possibilities as the main pillar of risk, while ISO uses uncertainty
  • AS/NZS and ISO accommodate  both desirable and undesirable outcomes, while COSO only refers to undesirable consequences
  • all definitions pair consequences and likelihood
  • all lack a precise definition of likelihood and probability

Thus, they are perhaps more confusing than actually clarifying what risk is. Would you agree?

What are the problems with these definitions?

There are three questions that arise from these definitions:

  • Should risk be linked to objectives?
  • Should risk be defined through probabilities or should risk be defined through uncertainties?
  • Is it possible to establish a unified perspective?

The preliminary answer is that

  • Objectives are a two-edged sword. First of all, an objective either way may hide the overall best solution, and who is to say what the right objective  really is, and thus, which consequences that are really undesirable or desirable?
  • Probabilities are not a certainty, they are a tool and nothing more than numbers that are used to express uncertainty, and as all tools, they have their limitations.
  • Considering that the three definitions are quite divergent, a unified perspective may seem impossible from the outset, but it doesn’t take too much reformulation to come with a more holistic point of view, and that is the topic of this article

So how can we establish a view of risk that captures all perspectives?

A unified perspective?

The unified framework for enterprise risk assessment and risk management the authors come up with rests on 3 main pillars:

  1. Risk is covering two components
    a) the impact of events/consequences in relation to some reference
    b) the associated uncertainties
  2. Risk is expressed using knowledge-based or judgemental probabilities
  3. These probabilities are conditional on a background knowledge which may be based on many assumptions.

The figure below illustrates the concept:

I think the figure perfectly captures all elements of risk, the impact (positive or negative), the probability of said impacts, and the uncertainty associated with the probabilities, shown by the size of the squares marking the impacts.


Not all of Terje Aven’s discourses on risk are easy to follow as they tend to be highly quantitative in nature; this one is spot on, and I think he has a major point. Having said that, there wasn’t much enterprise risk in the article, and the example case didn’t shed much light on it either. Personally, I’d say that enterprise could have been omitted from the title without making much difference. In fact, I think that would indeed have been a better title.


Aven, E., & Aven, T. (2011). On how to understand and express enterprise risk International Journal of Business Continuity and Risk Management, 2 (1), 20-34 DOI: 10.1504/IJBCRM.2011.040012

Author links

Related posts

Jan Husdal is an engineer turned researcher turned engineer again and he is now a Resilience Adviser with the Southern Region office of the Norwegian Public Roads Administration (Statens vegvesen Region sør) in Arendal, Norway,

Tags: , , , ,
Infrastructure Vulnerability
This is a paper that has been collecting dust in my articles archive for quite a while, but it is in[...]
Supply Chain Risk Literature: a complete review
Finally, here it is, the complete review of supply chain risk. At least by the looks of it. Supply c[...]
Biting the hand that feeds. All firms are snakes.
'All firms are snakes'. So says Paul D. Cousins in A conceptual model for managing long-term inter-o[...]
Risk in Virtual Enterprise Networks
Done...I finally made it! Today I submitted my full chapter for the book on Managing Risk in Virtual[...]
Book Review: Logistics and Supply Chain Management
This book by Martin Christopher, Logistics & Supply Chain Management, is one of the better if [...]
Supply Chain Nirvana
Is there something like a Supply Chain Nirvana, where it all comes together and where a firm's suppl[...]
Supply chain disruption risk on the rise
Global supply chains are increasingly becoming more vulnerable to potential disruption to trade, say[...]
Assess the vulnerability of your production system
So far I have reviewed "international" literature and web sites, and it is only fitting that now it [...]
ISO 28002 – Supply Chain Resilience
Have you heard of ISO 28002?  No? You should take note of this standard, because the ISO 28000 serie[...]