Definition (EN)

Risk is the effect of uncertainty on objectives.

Explanation (EN)

Risk refers to the possibility that events or conditions may occur that affect the achievement of organisational objectives, either positively or negatively.
In information security and cybersecurity contexts, risk is typically expressed as a combination of the likelihood of a threat exploiting a vulnerability and the resulting impact on assets, individuals, or the organisation.
Risk is analysed and evaluated using defined risk criteria to determine the need for risk treatment or acceptance.

Nederlandse term (NL)

Risico

Definitie (NL)

Risico is het effect van onzekerheid op doelstellingen.

Toelichting (NL)

Risico verwijst naar de mogelijkheid dat gebeurtenissen of omstandigheden zich voordoen die het bereiken van organisatiedoelstellingen beïnvloeden, zowel positief als negatief.
In de context van informatiebeveiliging en cybersecurity wordt risico doorgaans uitgedrukt als een combinatie van de waarschijnlijkheid dat een dreiging een kwetsbaarheid benut en de impact daarvan op assets, personen of de organisatie.
Risico’s worden geanalyseerd en geëvalueerd aan de hand van vastgelegde risicocriteria om te bepalen of risicobehandeling of risicoaanvaarding nodig is.

Source

• ISO 31000:2018 — Risk management — Guidelines

• ISO 31073:2022 — Risk management — Vocabulary

• ISO/IEC 27005:2022 — Information security risk management

Related terms

• Risk management

• Risk assessment

• Risk criteria

• Risk treatment

• Residual risk

• Threat

Definition by ComplianceForge Reference Model

• Risks represent a situation where someone or something valued is exposed to danger, harm or loss (noun) or to expose someone or something valued to danger, harm or loss (verb).

• Risk is often calculated by a formula of the Occurrence Likelihood (OL) x the Impact Effect (IE) in an attempt to quantify the potential magnitude of a risk instance materializing.

• In practical terms, a risk is associated with a Control deficiency (e.g., if the control fails, what risk(s) is the organization exposed to?)

• While it is not possible to have a totally risk-free environment, it may be possible to manage risk by (1) avoiding, (2) reducing, (3) transferring, or (4) accepting risk(s).

• An organization should maintain a “risk catalog” that contains organization-specific risks.