Defining Different Types of Risk  

A compass called "Risk Management" poiting north

People sometimes ask how we should define “strategic risk”. Fortunately this simple question has a simple answer. But answering this question can also help us to define any other type of risk. First let’s consider “strategic risk”:

  • One basic definition of risk is “uncertainty that matters”. We can expand this into a more formal definition such as “any uncertainty that if it occurs will affect achievement of objectives”. Or we can keep it simple, like the definition in the international risk standard ISO31000:2009, where risk is “effect of uncertainty on objectives”.
  • So risk always involves uncertainty. But risk matters because it has the potential to affect objectives.
  • This means that each risk must be linked to at least one objective. Risk cannot be defined in a vacuum or without a context. Wherever we find a risk, we will also find something that is “at risk”, which is our ability to achieve our objectives.
  • Organisations have different types of objectives, ranging from high-level corporate objectives down to detailed technical or operational objectives. Each type of objective can be affected by uncertainty. So where there are multiple levels of objectives, there are also multiple levels of risk.
  • People who are interested in strategic objectives need to know about any uncertainty that could affect their ability to achieve those objectives. So now we can define strategic risk. It is “any uncertainty that if it occurs will affect achievement of strategic objectives”.


And there you have it – simple!

We can use the same thinking to distinguish a variety of risks, by linking them to a range of different objectives. For example:

  • Project risks are uncertainties that would affect achievement of project objectives
  • Technical risks affect achievement of technical objectives
  • Environmental risks affect environmental objectives
  • Reputation risks affect reputational objectives
  • Safety risks affect safety objectives
  • Personal risks affect personal objectives
  • and so on

The distinctive characteristic of strategic risks is that they are linked to strategic objectives. This is also important when we consider risk ownership. Each risk should be owned by the person who owns the objective that would be affected. So strategic risks usually have senior management owners, since these are the people who are responsible for achievement of strategic objectives. In the same way, project risks are usually owned by people at the project level, most technical risks are owned by technical staff, and each one of us has to take responsibility for managing our own personal risks.

Defining risk at different levels is easy. Start with the objectives at that level, and look for the uncertainties that matter. Only then we can manage risk wherever we encounter it.


[© Copyright April 2012, David Hillson/Risk Doctor & Partners]

Share This Post

More Blog Articles

See What IRIS Intelligence Can Do for Your Business

IRIS embeds best practice risk management techniques in a fully automated system that can be instantly customized to match specific customer preferences and reporting requirements.

An image of an IRIS Software Dashboard on a laptop, a tablet and a smart phone
Easy to Use Interface icon

Request a demo

We’re here to discuss your risk management needs, schedule a free demo or talk to us about anything else.

Easy to Use Interface icon

Contact us today...

We’re here to discuss your risk management needs, schedule a free demo or talk to us about anything else.

Contact Info