ISO 31000 defines risk as the "effect of uncertainty on objectives." It is measured not by danger itself, but by distance from one's objectives. This is the first point where the vocabulary of management diverges from the vocabulary of review. This piece separates three words — risk, hazard, and exposure — and sets down the shared yardstick used throughout the rest of the series.

01Risk Is Not "a Bad Thing" — The ISO 31000 Definition

In everyday speech, risk is used as a near-synonym for danger or loss. But ISO 31000:2018 defines risk as the "effect of uncertainty on objectives" (3.1). That effect is open not only to the downside but also to the upside. The direction in which things turn out worse than the objective, and the direction in which they turn out better, are both "effects."

Misread this definition, and the management of the upside drops out. Confine risk to the language of loss prevention, and missing an opportunity itself becomes invisible. Management sees loss prevention and opportunity capture within the same frame. The decision to attack and the decision to defend are not separate things; they are handled as two sides of the same uncertainty. This is the premise on which a later piece, "Why Do Firms Take Risk," will rest.

02Hazard and Risk Are Different — Without Exposure There Is No Harm

There is another distinction that is easily blurred. Hazard and risk are separate concepts. A cliff is a hazard, but to a person who never goes near it, that cliff is not a risk. Harm arises only when one is exposed to a hazard — that is, only when there is exposure.

So the magnitude of impact is determined less by the hazard itself than by the amount of exposure. For the same price movement, the larger the position held, the larger the swing in profit and loss. To measure risk is not to count whether hazards exist, but to measure how much your firm is exposed.

Hazard

hazard

The source that can give rise to harm. Its mere existence does not constitute harm. A cliff, a drug's side effect, market volatility — these all qualify.

Exposure

exposure

The amount one is exposed to a hazard. The size of the position held or the degree of involvement. For the same hazard, the amount of exposure decides whether the impact is large or small.

Risk

risk

The effect on objectives, arising from hazard × exposure. Roughly grasped as the product of likelihood and impact.

03Risk = Likelihood × Impact

In practice, risk is first grasped roughly as the product of likelihood (how prone something is to occur) and impact (how much it bites once it occurs). Before any rigorous probability calculation, you take a bearing on these two axes. The impact side, as in the previous section, is determined by exposure.

What matters here is the view that risk is a "state," not an "event." Speak of it in the binary of whether an accident has occurred, and risk looks like zero until it strikes. In reality, as long as you are exposed, risk is always present. Likelihood × impact, with impact determined by exposure — this decomposition becomes the shared language used throughout the rest of the series.

04Management's Usage of "Taking Risk"

Once the definitions are aligned, what management means by "taking risk" comes into focus. It is not recklessly plunging into danger. It is the act of accepting uncertainty in order to draw closer to an objective. To go after the possibility of an upside, one simultaneously bears the possibility of a downside. Because there is something that cannot be obtained without taking it, one takes it deliberately.

And who decides how much to take is a separate question. It is the board, not the front line, that authorizes the quantity of risk-taking. That structure of separating oversight from execution is treated in The Board Does Not Manage — The Separation of Oversight and Execution. What this piece pins down is the single word that sits upstream of it: what risk is.

05To the Materials-Review Floor — Reading It as a Probability Distribution

How does this definition connect to the practice of materials review? The "risk" that management speaks of, which the reviewer faces, is not a story of loss prevention. It is a story about the probability distribution of achieving an objective. Aggressive information provision is the expression of a decision to go after the upside, and on its reverse side the possibility of a downside lives alongside it.

So, as long as a material's deviation is spoken of in the binary of "will it happen or not," it will never mesh with the logic of management's decisions. What should be asked is how much one is exposed, and how wide the impact opens up as a distribution. Read risk as a state, as a distribution. Sharing that vocabulary is the first condition for management and review to talk at the same table.

Key Points — Four to Take Away
  1. ISO 31000 defines risk as the "effect of uncertainty on objectives." The effect opens in both the positive and the negative direction.
  2. Hazard and risk are separate concepts. Without exposure, a hazard does not become harm.
  3. Risk = likelihood × impact. The magnitude of impact is determined by exposure.
  4. Management's "taking risk" is the act of accepting uncertainty to draw closer to an objective. Pure avoidance is just one choice among others.
Sources & References
  1. ISO 31000:2018 Risk management — Guidelines. In 3.1, defines risk as the "effect of uncertainty on objectives," showing that the effect runs in both the positive and the negative direction.
  2. COSO ERM (2017) Enterprise Risk Management — Integrating with Strategy and Performance. Ties uncertainty to strategy and performance and sets out a framework for handling risk across the enterprise.