What is risk?

What is risk, and how can it be expressed? Should risk be defined through probabilities or should risk be defined through uncertainties? That is what Eyvind Aven and Terje Aven are attempting to explain in their paper On how to understand and express enterprise risk. In the paper, they claim that different international standards, such as the AS/NZS 3460 Risk Management Standard, the COSO ERM framework and the ISO 31000 Risk Management Standard do not provide adequate guidance on these issues and lack the necessary precision. Thus, they establish their own framework, where risk has two main components, namely 1) the impact of events and consequences (outcomes), and  2) the associated uncertainties (probabilities).

Familiar trains of thought

Terje Aven is perhaps one of Norway’s most prominent risk researchers, with more than 130 publications on risk-related issues, and in this article he picks up familiar thoughts and threads from papers previously reviewed on this blog, first and foremost perhaps his article from 2010 on how to define and describe risk, and also his 2007 paper that contained a framework for unifying risk and vulnerability, where uncertainty is a major part of the equation, just as it is here.

Three different perspectives

The paper starts off by comparing three definitions of risk:

1) AS/NZS 4360

Risk is the possibility of something happening that impacts on your objectives. It is the chance to either make a gain or a loss. It is measured in terms of likelihood and consequence


Risk is the possibility that an event will occur that adversely affects the achievement of objectives. Risk is described by likelihood and impact.

3) ISO 31000

Risk is the effect of uncertainty on objectives. An effect is a deviation from the expected (positive or negative). Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence.

and looks at how these definitions are different from each other and what this entails for the understanding of risk.

What makes them different?

The paper makes a major point in highlighting that these definitions are perhaps not contradictory, but nonetheless slightly inconsistent:

  • all refer to objectives as a point against which risk is measured
  • AS/NZS and COSO refer to probabilities or possibilities as the main pillar of risk, while ISO uses uncertainty
  • AS/NZS and ISO accommodate  both desirable and undesirable outcomes, while COSO only refers to undesirable consequences
  • all definitions pair consequences and likelihood
  • all lack a precise definition of likelihood and probability

Thus, they are perhaps more confusing than actually clarifying what risk is. Would you agree?

What are the problems with these definitions?

There are three questions that arise from these definitions:

  • Should risk be linked to objectives?
  • Should risk be defined through probabilities or should risk be defined through uncertainties?
  • Is it possible to establish a unified perspective?

The preliminary answer is that

  • Objectives are a two-edged sword. First of all, an objective either way may hide the overall best solution, and who is to say what the right objective  really is, and thus, which consequences that are really undesirable or desirable?
  • Probabilities are not a certainty, they are a tool and nothing more than numbers that are used to express uncertainty, and as all tools, they have their limitations.
  • Considering that the three definitions are quite divergent, a unified perspective may seem impossible from the outset, but it doesn’t take too much reformulation to come with a more holistic point of view, and that is the topic of this article

So how can we establish a view of risk that captures all perspectives?

A unified perspective?

The unified framework for enterprise risk assessment and risk management the authors come up with rests on 3 main pillars:

  1. Risk is covering two components
    a) the impact of events/consequences in relation to some reference
    b) the associated uncertainties
  2. Risk is expressed using knowledge-based or judgemental probabilities
  3. These probabilities are conditional on a background knowledge which may be based on many assumptions.

The figure below illustrates the concept:

I think the figure perfectly captures all elements of risk, the impact (positive or negative), the probability of said impacts, and the uncertainty associated with the probabilities, shown by the size of the squares marking the impacts.


Not all of Terje Aven’s discourses on risk are easy to follow as they tend to be highly quantitative in nature; this one is spot on, and I think he has a major point. Having said that, there wasn’t much enterprise risk in the article, and the example case didn’t shed much light on it either. Personally, I’d say that enterprise could have been omitted from the title without making much difference. In fact, I think that would indeed have been a better title.


Aven, E., & Aven, T. (2011). On how to understand and express enterprise risk International Journal of Business Continuity and Risk Management, 2 (1), 20-34 DOI: 10.1504/IJBCRM.2011.040012

Author links

Related posts

Tags: , , , ,
Six levels of risk management
In spite of all efforts to design safer systems, we still witness severe, large-scale accidents. A b[...]
The latest trends in logistics and SCM research
What is at the forefront of current research in supply chain management and logistics right now? I k[...]
Economies of integration
Logistics is no longer what it used to be and logistics today plays a much more important and strate[...]
Book Review: Single Point of Failure
Just out a few days ago, Single Point of Failure is a fascinating read. The author, Gary S. Lynch, i[...]
Enterprise-wide Risk Management
Coming from a crisis management and business continuity background, I really enjoyed reading Enterpr[...]
Book review: Handbook of Transportation Engineering
Comprehensive and all-encompassing, the Handbook of Transportation Engineering by Myer Kutz (editor)[...]
Critical Infrastructure and Resilience
What happens when a business is disabled for a length of time? What are the impacts on its profitabi[...]
Calculating the Value-at-Risk
Some of you may remember that I posted about the SCOR Framework for Supply Chain Risk Management ear[...]
The Benefits of Investing in Supply Chain Security
With the memory of attacks by Somali pirates still fresh in mind, supply chain security has come to [...]