- Infoworks® International, Inc. - https://infoworks.com -

What is a Risk?

what is a risk?The purpose of risk management is obviously to manage risks. But one of the most common failings in the risk management process is for the risk identification step to identify things that are not risks. If this early stage of the risk process fails, subsequent steps will be doomed, and risk management will not be effective. It is therefore essential to ensure that the risk identification process correctly identifies risks.

Many people are confused between risk and uncertainty. Risk is a type of uncertainty, and it’s important to define what qualifies an uncertainty as a risk. The key is that risk is defined in relation to objectives. The simplest definition of risk is “uncertainty that matters,” and it matters because it can affect one or more objectives. Risk does not exist in a vacuum, and we need to define what is “at risk,” i.e. what objectives would be affected if the risk occurred.

A more complete definition of risk would therefore be “an uncertainty that, if it occurs, could affect one or more objectives.” There are other uncertainties that are irrelevant in terms of objectives, and these should be excluded from the risk process. For example, if we are conducting an IT project in India, the uncertainty about whether it might be raining in London is irrelevant – who cares? But if our project involves redeveloping the Queen’s gardens at Buckingham Palace, the possibility of rain in London is not just an uncertainty – it matters. In one case the rain is merely an irrelevant uncertainty, but in the other it is a risk.


Linking risk with objectives makes it clear that every facet of life is risky. Everything we do aims to achieve objectives of some sort, including personal objectives (to be happy and healthy), project objectives (delivering on-time and within budget), and corporate business objectives (increasing profit and market share). Wherever objectives are defined, there will be risks to their successful achievement.

The link also helps us to identify risks at different levels, based on the hierarchy of objectives that exists in an organization. For example, strategic risks are uncertainties that could affect strategic objectives, technical risks might affect technical objectives, reputation risks would affect reputation, and so on.

One other question arises from the concept of risk as “uncertainty that could affect objectives” – what sort of effect might occur? There are uncertainties that, if they occur, would make it more difficult to achieve objectives (threats), and there are also uncertain events that, if they occur, would help us achieve our objectives (opportunities). When identifying risks, we need to look for uncertainties with upside as well as those with downside.

Effective risk management requires identification of real risks, which are “uncertainties that, if they occur, will have a positive or negative effect on one or more objectives.” Linking risks with objectives will ensure that the risk identification process focuses on uncertainties that matter, rather than being distracted and diverted by irrelevant uncertainties.


Another common challenge in the risk identification process is confusion between causes of risk, the risks themselves, and the effects of risks. The PMI® PMBoK® Guide (Sixth Edition) says that “A risk may have one or more causes and, if it occurs, one or more impacts.” In the simplest case, one cause leads to a single risk, which in turn could have just one effect. Reality, of course, is considerably more complex. How do causes, risks, and effects differ?

Including causes or effects in the list of identified risks obscures genuine risks, which may not receive the appropriate degree of attention they deserve. So how can we clearly separate risks from their causes and effects? One way is to use risk metalanguage (a formal description with required elements) to provide a three-part structured “risk statement” as follows:

“As a result of <definite cause>, <uncertain event> may occur, which would lead to <effect on objective(s)>.”

Examples include the following:

The use of risk metalanguage should ensure that risk identification actually identifies risks, distinct from causes or effects. Without this discipline, risk identification can produce a mixed list containing risks and non-risks, leading to confusion and distraction later in the risk process.

Risks must be identified if they are to be successfully managed. But risk is not the same as uncertainty, and risks must be separated from their causes and their effects. We must be clear about what we are trying to identify. Only then can we be sure that the risk management process is addressing those uncertainties that can affect our projects and businesses.