What is risk?

What is risk, and how can it be expressed? Should risk be defined through probabilities or should risk be defined through uncertainties? That is what Eyvind Aven and Terje Aven are attempting to explain in their paper On how to understand and express enterprise risk. In the paper, they claim that different international standards, such as the AS/NZS 3460 Risk Management Standard, the COSO ERM framework and the ISO 31000 Risk Management Standard do not provide adequate guidance on these issues and lack the necessary precision. Thus, they establish their own framework, where risk has two main components, namely 1) the impact of events and consequences (outcomes), and  2) the associated uncertainties (probabilities).

Familiar trains of thought

Terje Aven is perhaps one of Norway’s most prominent risk researchers, with more than 130 publications on risk-related issues, and in this article he picks up familiar thoughts and threads from papers previously reviewed on this blog, first and foremost perhaps his article from 2010 on how to define and describe risk, and also his 2007 paper that contained a framework for unifying risk and vulnerability, where uncertainty is a major part of the equation, just as it is here.

Three different perspectives

The paper starts off by comparing three definitions of risk:

1) AS/NZS 4360

Risk is the possibility of something happening that impacts on your objectives. It is the chance to either make a gain or a loss. It is measured in terms of likelihood and consequence


Risk is the possibility that an event will occur that adversely affects the achievement of objectives. Risk is described by likelihood and impact.

3) ISO 31000

Risk is the effect of uncertainty on objectives. An effect is a deviation from the expected (positive or negative). Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence.

and looks at how these definitions are different from each other and what this entails for the understanding of risk.

What makes them different?

The paper makes a major point in highlighting that these definitions are perhaps not contradictory, but nonetheless slightly inconsistent:

  • all refer to objectives as a point against which risk is measured
  • AS/NZS and COSO refer to probabilities or possibilities as the main pillar of risk, while ISO uses uncertainty
  • AS/NZS and ISO accommodate  both desirable and undesirable outcomes, while COSO only refers to undesirable consequences
  • all definitions pair consequences and likelihood
  • all lack a precise definition of likelihood and probability

Thus, they are perhaps more confusing than actually clarifying what risk is. Would you agree?

What are the problems with these definitions?

There are three questions that arise from these definitions:

  • Should risk be linked to objectives?
  • Should risk be defined through probabilities or should risk be defined through uncertainties?
  • Is it possible to establish a unified perspective?

The preliminary answer is that

  • Objectives are a two-edged sword. First of all, an objective either way may hide the overall best solution, and who is to say what the right objective  really is, and thus, which consequences that are really undesirable or desirable?
  • Probabilities are not a certainty, they are a tool and nothing more than numbers that are used to express uncertainty, and as all tools, they have their limitations.
  • Considering that the three definitions are quite divergent, a unified perspective may seem impossible from the outset, but it doesn’t take too much reformulation to come with a more holistic point of view, and that is the topic of this article

So how can we establish a view of risk that captures all perspectives?

A unified perspective?

The unified framework for enterprise risk assessment and risk management the authors come up with rests on 3 main pillars:

  1. Risk is covering two components
    a) the impact of events/consequences in relation to some reference
    b) the associated uncertainties
  2. Risk is expressed using knowledge-based or judgemental probabilities
  3. These probabilities are conditional on a background knowledge which may be based on many assumptions.

The figure below illustrates the concept:

I think the figure perfectly captures all elements of risk, the impact (positive or negative), the probability of said impacts, and the uncertainty associated with the probabilities, shown by the size of the squares marking the impacts.


Not all of Terje Aven’s discourses on risk are easy to follow as they tend to be highly quantitative in nature; this one is spot on, and I think he has a major point. Having said that, there wasn’t much enterprise risk in the article, and the example case didn’t shed much light on it either. Personally, I’d say that enterprise could have been omitted from the title without making much difference. In fact, I think that would indeed have been a better title.


Aven, E., & Aven, T. (2011). On how to understand and express enterprise risk International Journal of Business Continuity and Risk Management, 2 (1), 20-34 DOI: 10.1504/IJBCRM.2011.040012

Author links

Related posts

Tags: , , , ,
Road Vulnerability
Today we are going back in time, to one of the seminal articles in road vulnerability. Katja Berdica[...]
Risk and Supply Chain Management - A Research Agenda
After a long break from reviewing actual supply chain risk literature, today I would like to return [...]
Friend or foe or both?
Realities of supply chain collaboration
Supply chain collaboration, easy or difficult? And can it really work? In theory yes, but in reality[...]
The Resilient Organization
What does it mean to be a resilient organization? That is the topic of  The Resilient Organization, [...]
Book Review: Supply Chain Risk Management
This excellent book by Donald Waters, Supply Chain Risk Management: Vulnerability and Resilience in [...]
Book Review: Enterprise SCM
Have you ever played SimCity? I never liked Transport Tycoon that much, but I used to play SimCity a[...]
The supply chain of the future
A recent report by IBM, referenced by Supply Chain Digest in IBM Lays Out its Vision for the Supply [...]
Future Value Chain Trends 2020
The twelve future trends that will shape value chains and supply chain management during this decade[...]
Global Risks 2012
Are economic imbalances and social inequality risk reversing the gains of globalization? Should we s[...]