COBIT: Risk is generally defined as the combination of the
probability of an event and its consequence.
FAIR: The probable frequency and magnitude of future
AIE/Hubbard: 1) The probability and magnitude of a loss,
disaster, or other undesirable event.
2) A state of uncertainty where some of the possibilities
involve a loss, catastrophe, or other undesirable
Measurement of Risk: A set of possibilities each with
quantified probabilities, and quantified losses. For
example: “we believe there is a 40% chance the
proposed oil well will be dry with a loss of $12 million
in exploratory drilling costs.”
AIE/Hubbard: The lack of complete certainty, that is, the
existence of more than one possibility. The “true”
outcome/state/result/value is not known.
Measurement of Uncertainty: A set of probabilities
assigned to a set of possibilities. For example: “there is
a 60% chance this market will more than double in five
years, a 30% chance it will grow at a slower rate, and a
10% chance the market will shrink in the same period”.
FAIR: The combination of personnel, policies,
processes, and technologies that enable an
organization to cost-effectively achieve an acceptable
level of loss exposure.
AIE/Hubbard: Long definition: The identification,
assessment, and prioritization of risks followed by
coordinated and economical application of resources
to minimize, monitor, and control the probability and/or
impact of unfortunate events
Shorter definition: Being smart about taking chances
ISO Guide 73:2002: Coordinated activities to direct and
control an organization with regard to risk
ISACA CRISC: The coordinated activities to direct and
control an enterprise with regard to risk.
Risk management is the identification, assessment and
prioritization of risk followed by coordinated and
economical application of resources to minimize,
monitor, and control the probability and/or impact of
adverse events or to maximize the realization of
Scenarios are a powerful tool in a risk manager’s armory—
they help professionals ask the right questions and prepare
for the unexpected. Scenario analysis has become a ‘new’
and best practice in enterprise risk management (ERM)
Example Risk Scenario Statement
Risk scenario statement:
What is the risk associated with PHI being exposed
via a lost/stolen laptop?