What is a Risk?
Table of Contents: Definition – Negative connotations – Categories – Questions from the field – Notes
Smartpedia: A risk is an evaluated future event with a negative (in the narrower sense) or positive (in the broader sense) deviation from the target state.
Risk – the deviation from the target state due to assessed future events
Risks are an integral part of entrepreneurial activity, since the future and the effects of actions cannot be predicted with certainty. But what is a risk in the narrower sense? To answer this question, it is worth defining the terms danger, risk and venture:
A danger arises when a situation has a damaging effect. The prerequisite for this is exposure of a person, a group of persons or objects. A fire in an office building in Stuttgart does not pose a danger to a development team in Berlin. However, if the team were in the building in Stuttgart, they would face a danger.
A risk is a danger that has been assessed in terms of its probability of occurrence and the extent of the damage it could cause. For example: If the server that hosts the results of the Berlin development team is located in the Stuttgart office building, there is a risk that the entire work could be lost in a fire. The extent of the damage increases depending on the work invested or existing agreements with customers.
A venture is understood to be the conscious taking of risks. If a separate storage location or backup of the development team’s results at a different location was not provided, then that would be a venture. Here, it could also be referred to as tolerance.
There are other ways of looking at risk. The PMBOK Guide defines it in broader terms as an uncertain event or condition that, if it occurs, could have an effect, either positive or negative, on the project objectives. A risk is not necessarily just a negative event; it can also represent a positive deviation from the desired target state. [1]
Why do risks have negative connotations?
The concept of risk often has negative connotations, although by definition it also includes opportunities. There are several psychological, linguistic and practical reasons for this.
From a psychological point of view, loss aversion often outweighs the perception of opportunities. The Prospect Theory by Kahneman & Tversky [2] shows that people weight losses more heavily than equivalent gains. A risk with a potential negative impact therefore seems more serious than one with a potential opportunity. From an evolutionary perspective, humans have also learned to avoid danger in order to ensure their survival. Risks are therefore perceived as a threat rather than as an opportunity.
Linguistic and cultural influences also contribute to the negative perception of the term. In everyday language, risk is usually associated with danger, as in the risk of illness, financial risk or accident risk. Positive risks, i.e. opportunities, are rarely explicitly referred to as risk. The media reinforce this perception, as reporting often focuses on threats, catastrophes and scandals. In addition, risk is traditionally viewed as something negative in many industries. In areas such as insurance, construction or healthcare, the focus is on avoiding damage, which is why risks there are almost exclusively seen as a threat.
Practical challenges further reinforce this view. While threats can usually be calculated in concrete terms based on probabilities and the potential extent of damage, opportunities are often more difficult to measure. Companies therefore focus their risk management primarily on damage limitation, while the targeted management of opportunities tends to be anchored in separate disciplines such as innovation or strategy management. Regulatory requirements also contribute to the fact that organisations have to minimise risks, while there are rarely regulations to actively maximise opportunities.
All these factors combine to make risk, despite its neutral definition, usually be understood as a threat. To counteract this one-sided understanding, terms such as opportunity management are increasingly being established to specifically exploit the positive aspects of uncertainty. A stronger integration of opportunities into traditional risk management could help companies not only to minimise risks, but also to strategically exploit new possibilities.
Categories of risk
Risks can be categorised according to the area they affect or their impact. The following classification shows some important types of risk:
1. strategic risks
Strategic risks affect the long-term direction of an organisation. They arise from wrong decisions or unexpected developments in the market.
Examples:
- changes in the competitive environment (e.g. new market entrants)
- Technological disruptions (e.g. the decline of Nokia due to smartphones)
- Reputational risks (e.g. loss of image due to scandals)
2. Operational risks
Operational risks arise from internal processes, systems or human error.
Examples:
- IT failures and cyber attacks
- Production errors or supply chain problems
- Employee turnover or wrong decisions in day-to-day business
3. Financial risks
These risks affect the financial stability of companies or individuals.
Examples:
- Currency risks (e.g. exchange rate fluctuations in international business)
- Liquidity risks (e.g. insolvency due to unexpected expenses)
- Credit risks (e.g. customer or partner payment defaults)
4. Technical risks
These risks arise from the use of technologies, machines or software.
Examples:
- Malfunctioning machines or software errors
- Security breaches in IT systems
- Failed innovations or new technologies without market penetration
5. Legal and regulatory risks
These arise from changing laws, regulations or contracts.
Examples:
- New data protection laws (e.g. GDPR)
- Stricter environmental regulations or tax rules
- Contract risks due to unclear or disadvantageous agreements
6. project and development risks
These relate to specific projects and their implementation.
Examples:
- Delays due to planning errors or lack of resources
- Cost overruns due to incorrect calculations
- Non-compliance with quality requirements
7. environmental and natural disaster risks
These risks are often uncontrollable but can have a huge impact.
Examples:
- Earthquakes, floods or storms
- Climate change and its consequences
- Environmental pollution and regulatory changes
8. Political and social risks
These risks arise from political decisions or social developments.
Examples:
- Trade wars or economic sanctions
- Social unrest or protests
- Change of government with new economic or regulatory parameters
In addition to the classification by content, risks are also categorised according to whether and how they can be controlled:
| Risk type | Description | Example |
| Avoidable risks | Can be eliminated or greatly reduced by taking measures | IT security risks through regular updates |
| Calculable risks | Can be calculated and controlled by safeguards (e.g. insurance) | Currency risks in export business |
| Unforeseeable risks | Unpredictable and difficult to control | Natural disasters or political crises |
| Opportunities | Potentially positive effects if consciously taken | Investments in new technologies |
A company or organisation cannot avoid all risks, but it can recognise, evaluate and consciously manage them. The more precisely risks are classified, the more targeted the development of preventive measures, emergency plans or insurance strategies can be.
Questions from the field
Here are some questions and answers from the field:
Why are risks important?
Risks can have negative consequences, but they are also often necessary for progress and innovation. Without risk, there would be no economic investment, no technical innovation and no social change. Therefore, dealing consciously with risks is crucial – at the individual, corporate and societal level.
The ability to identify, analyse and control risks is an essential part of making successful decisions. This is precisely where risk management comes in.
What are the objectives and tasks of risk management?
- to reduce the probability of a risk occurring and
- to reduce the extent of the damage.
In practice, there are always discussions about determining the probability of occurrence, as this is often done by extrapolating from past experiences. This is considered difficult because projects are unique and a lot of experience cannot be meaningfully transferred to other situations and undertakings. There is a risk of an illusory, psychological sense of security.
Risk management typically involves the following tasks:
- Identifying and documenting risks with cause and effect.
- Determining probabilities of occurrence, extent of damage, as well as potential delays and costs.
- Clear presentation, e.g. with a risk matrix that visualises a set of risks, usually depending on their probability of occurrence and potential impact.
- Definition and documentation of measures to avoid, reduce, transfer or tolerate risks.
- Continuous monitoring of risks and measures, as well as the definition of responsibilities.
- Joint management of all information in a common system.
- Taking into account the risks in other corporate disciplines such as project management, requirements management or change management.
- Regular communication about risks, e.g. in a project with project participants or in the steering committee.
Companies should bear in mind that risk management is a process and an ongoing task.
Why do people perceive risks differently and what does this mean for companies?
People use mental shortcuts (heuristics) to quickly assess risks. However, these often lead to systematic misjudgements. Important cognitive distortions in risk management are:
- People overestimate risks that can be easily recalled from memory (e.g. plane crashes, terrorist attacks), while they underestimate more frequent but less media-present risks (e.g. car accidents). This is called the availability heuristic.
- People tend to assess their own risk as lower than the risk of others. ‘Nothing will happen to me!’ is a good example of the optimism bias.
- People deliberately look for information that supports their existing opinion about a risk and ignore contrary evidence. (confirmation bias
- After an event, it seems predictable in retrospect, even if it was not before. ‘That was obvious!’ is a fitting saying for hindsight bias.
In addition to cognitive distortions, emotions also play a major role in risk perception:
Anyone who has ever had a negative experience with a risk (e.g. financial crisis, data breach) tends to perceive future risks as more threatening. Those who live with a risk on a daily basis often no longer perceive it as threatening (e.g. mountaineers, firefighters). And if a risk is associated with positive emotions (e.g. adventure, reward), it is more likely to be taken than with negative associations (e.g. threat, loss).
And last but not least, the perception of risks also differs between societies, industries and social groups:
- In collectivist cultures (e.g. Japan), people tend to avoid risks more than in individualistic cultures (e.g. the USA).
- An investment banker perceives risks differently than an aviation safety engineer.
- Within a company, risk perception can vary from department to department (e.g. sales vs. compliance).
What does this mean for companies? Your risk communication should take account of biases and be based on facts. Decision-making processes should be designed to minimise heuristics and biases. And different risk perceptions in teams must be balanced out by structured decision-making processes.
What are known and unknown unknowns?
- Known unknowns are risks that have already been recognised as potential threats, but whose exact impact or probability of occurrence is uncertain. Example: A company knows that a supplier could fail, but does not know the exact when or how.
- Unknown unknowns are completely unexpected events that lie outside the scope of previous experience and cannot be foreseen. Example: The COVID-19 pandemic or sudden technological breakthroughs.
Why is this distinction important? Known unknowns can be managed with preventive measures (e.g. emergency plans, risk assessment). Unknown unknowns require flexible strategies, innovative ability and a resilient organisation to cope with unexpected events.
Companies should therefore be prepared for both plannable risks and develop resilience to respond to the unexpected.
What role does risk culture play in the success of a company?
A good risk culture is characterised by the following:
- Risks are recognised early and openly communicated instead of being played down or kept secret.
- There are defined roles for risk management and every employee understands their responsibilities.
- Companies with a strong risk culture systematically analyse mistakes in order to continuously improve. At the same time, this promotes innovation without encouraging negligent decisions.
Companies like Google or Tesla deliberately rely on experiments and calculated risks to drive innovation while learning from mistakes. Companies with risky financial decisions and insufficient risk management (e.g. banks in the 2008 financial crisis) have shown that a lack of risk control can have massive economic consequences.
Impulse to discuss:
How do you prevent risk assessments from ‘disappearing into a drawer’ and only being considered in an emergency?
Notes:
[1] In some publications, such as the Organisationshandbuch (Organisational Handbook) of the Federal Ministry of the Interior and for Home Affairs, two different risk categories are also mentioned in this context.
[2] Daniel Kahnemann and Amos Tversky: Prospect Theory: An Analysis of Decision under Risk
Here you will find an interesting German video about sustainable risk management in project management – the entire process step by step.
And here you will find additional information from our t2informatik Blog:
Agile risk management – do we need it?
Mindfulness as an opportunity for innovation
How can I avoid uncertainty?