Risk

Risk is the possibility of something bad happening, comprising a level of uncertainty about the effects and implications of an activity, particularly negative and undesirable consequences.
Risk theory, assessment, and management are applied but substantially differ in different practice areas, such as business, economics, environment, finance, information technology, health, insurance, safety, security, and privacy. The international standard for risk management, ISO 31000, provides general guidelines and principles on managing risks faced by organizations.
File:Impact_event.jpg|thumb|300x300px|Artist's impression of a major asteroid impact, an example of a global catastrophic risk.

Definition

The Oxford English Dictionary cites the earliest use of the word in English as of 1621, and the spelling as risk from 1655. While including several other definitions, the OED 3rd edition defines risk as " the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility". The Cambridge Advanced Learner's Dictionary defines risk as "the possibility of something bad happening". Some have argued that the definition of risk is subjective and context-specific. The International Organization for Standardization 31073 defines risk as:

effect of uncertainty on objectives
Note 1: An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.
Note 2: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.

Other general definitions include:

"Source of harm"
"Chance of harm"
"Uncertain events affecting objectives"
"Uncertainty of outcome"
"Potential returns from an event , where the returns are any changes, effects, consequences, and so on, of the event"
"Human interaction with uncertainty"
Versus uncertainty

In his seminal 1921 work Risk, Uncertainty, and Profit, Frank Knight established the distinction between risk and uncertainty.
Thus, Knightian uncertainty is immeasurable, not possible to calculate, while in the Knightian sense risk is measurable.

By field

Mathematical

Triplets

Risk is often considered to be a set of triplets
where:
Risks expressed in this way can be shown in a risk register or a risk matrix. They may be quantitative or qualitative, and can include positive as well as negative consequences.
An updated version recommends the following general description of risk:
where:

Probability distributions

If all the consequences are expressed in the same units, the risk can be expressed as a probability density function describing the uncertainty about outcome:
This can also be expressed as a cumulative distribution function . One way of highlighting the tail of this distribution is by showing the probability of exceeding given losses, known as a complementary cumulative distribution function, plotted on logarithmic scales. For example, frequency-number diagrams show the annual frequency of exceeding given numbers of fatalities. Another way of summarizing the size of the distribution's tail is the loss with a certain probability of exceedance, that is, the value at risk.

Expected values

Risk is often measured as the expected value of the loss. This combines the probabilities and consequences into a single value. See also expected utility. The simplest case is a binary possibility of Accident or No accident. The associated formula for calculating risk is then:
In a situation with several possible accident scenarios, total risk is the sum of the risks for each scenario, provided that the outcomes are comparable:
In statistical decision theory, the risk function is defined as the expected value of a given loss function as a function of the decision rule used to make decisions in the face of uncertainty.
A disadvantage of defining risk as the product of impact and probability is that it presumes, unrealistically, that decision-makers are risk-neutral. A risk-neutral person's utility is proportional to the expected value of the payoff. For example, a risk-neutral person would consider 20% chance of winning $1 million exactly as desirable as getting a certain $200,000. However, most decision-makers are not actually risk-neutral and would not consider these equivalent choices. Pascal's mugging is a philosophical thought experiment that demonstrates issues in assessing risk solely by the expected value of loss or return.

Outcome frequencies

Risks of discrete events such as accidents are often measured as outcome frequencies, or expected rates of specific loss events per unit time. When small, frequencies are numerically similar to probabilities, but have dimensions of and can sum to more than 1. Typical outcomes expressed this way include:

Individual risk - the frequency of a given level of harm to an individual. It often refers to the expected annual probability of death, and is then comparable to the mortality rate.
Group – the relationship between the frequency and the number of people suffering harm.
Frequencies of property damage or total loss.
Frequencies of environmental damage such as oil spills.
Financial risk

In finance, an elementary measure of risk for financial asset prices is with volatility, the degree of variation of a trading price over time, usually measured by the standard deviation of logarithmic returns.

Portfolio theory

measures the riskiness of a portfolio using the variance of the portfolio. If we denote return by of a portfolio with weight vector then the risk, as measured by variance of the portfolio is given by
where denotes the return of asset. Modern portfolio theory tells us an optimal combination of weights creates an optimal portfolio - known as the tangency portfolio - that still has undiversifiable risk. The model implies this 'systematic' source of risk should be the only factor considered, as all other sources of risk can be diversified away. An extension of this is the Capital asset pricing model, where this optimal portfolio becomes known as the market portfolio.
The beta coefficient measures the sensitivity of an individual asset to overall market changes, and is defined as the linear projection coefficient of asset returns on the returns of a market portfolio,
In a CAPM world, can be interpreted as the contribution of systemic risk to the risk of asset.

Risk-neutral measure

In mathematical finance, a risk-neutral measure is a probability measure such that each share price is exactly equal to the discounted expectation of the share price under the measure. This is heavily used in the pricing of financial derivatives due to the fundamental theorem of asset pricing.
Let be a d-dimensional market representing the price processes of the risky assets, the risk-free bond and the underlying probability space. Then a measure is a risk-neutral measure if

, i.e., is equivalent to,
the processes are martingales w.r.t. .
Mandelbrot's mild and wild theory

distinguished between "mild" and "wild" risk and argued that risk assessment and analysis must be fundamentally different for the two types of risk. Mild risk follows normal or near-normal probability distributions, is subject to regression to the mean and the law of large numbers, and is therefore relatively predictable. Wild risk follows fat-tailed distributions, e.g., Pareto or power-law distributions, is subject to regression to the tail, and is therefore difficult or impossible to predict. A common error in risk assessment and analysis is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and analysis are to be valid and reliable, according to Mandelbrot.

Estimation

Proxy or analogue data from other contexts, presumed to be similar in some aspects of risk.
Theoretical models, such as Monte Carlo simulation and Quantitative risk assessment software.
Logical models, such as Bayesian networks, fault tree analysis and event tree analysis
Expert judgement, such as absolute probability judgement or the Delphi method.
Management

is the set of actions that organisations take to avoid and mitigate downside risks, taking into account factors such as the possibility of upside risk opportunities, innovation, the environment, safety, scientific evidence, culture, politics, and law. Risk management operates at the strategic, operational, and individual level, and may form part of an overarching governance, risk, and compliance strategy. It comprises the assessment of risk as regards an organisation's objectives and strategies, as well as risk mitigation options, such as risk transformation, risk transfer, risk avoidance, risk reduction, and risk retention.

Assessment

is a systematic approach to recognising and characterising risks, and evaluating their significance, in order to support decisions about how to manage them. ISO 31000 defines it in terms of its components as "the overall process of risk identification, risk analysis and risk evaluation":

Risk identification is "the process of finding, recognizing and recording risks". It "involves the identification of risk sources, events, their causes and their potential consequences." ISO 31000 describes it as the first step in a risk assessment process, preceding risk analysis and risk evaluation. In safety contexts, where risk sources are known as hazards, this step is known as "hazard identification".
The ISO defines risk analysis as "the process to comprehend the nature of risk and to determine the level of risk". In the ISO 31000 risk assessment process, risk analysis follows risk identification and precedes risk evaluation. Risk analysis often uses data on the probabilities and consequences of previous events.
Risk evaluation involves comparing estimated levels of risk against risk criteria to determine the significance of the risk and make decisions about risk treatment actions. In most activities, risks can be reduced by adding further controls or other treatment options, but typically this increases cost or inconvenience. It is rarely possible to eliminate risks altogether without discontinuing the activity. Sometimes it is desirable to increase risks to secure valued benefits. Risk criteria are intended to guide decisions on these issues.

For example, the tolerability of risk framework, developed by the UK Health and Safety Executive, divides risks into three bands:

Unacceptable risks – only permitted in exceptional circumstances.
Tolerable risks – to be kept as low as reasonably practicable, taking into account the costs and benefits of further risk reduction.
Broadly acceptable risks – not normally requiring further reduction.