Anatomy Of Risk

A risk is a possible problem that has yet to occur.

When a risk we have identified becomes a problem, we say "the risk has materialised." The cost of dealing with the problem is called the impact.

Each risk has two variables: probability, and impact. The combination of probability and impact is known as RiskExposure:

 RiskExposure = probability * impact

Both probability and impact vary over time. Therefore our exposure to risk is usually not a constant. Each risk has a lifespan which begins when the exposure becomes more than 0 and ends when it drops back down.

Most risks are not atomic, but aggregates of many risks. A common example of an AggregateRisk? is the facetious case of a meteor strike on your office. Although managing the risk of a meteor strike itself is foolish, it contains many component risks which we should manage. For example, a meteor strike would almost certainly cause a destruction of all the data held at an office. But a meteor strike is not the only risk that could cause this. There are many others with a much higher probability: a simple computer virus, theft, an office fire, and so on. Managing the risk of data loss, such as using an off-site backup, automatically accounts for this portion in all its aggregates; even a meteor strike.

---

See RiskManagement