The Oxford English Dictionary cites the earliest use of the word in English (in the spelling of risque from its from French original, 'risque' ) as of 1621, and the spelling as risk from 1655. It defines risk as:

(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.

International Organization for Standardization

The International Organization for Standardization publication ISO 31000 (2009) / ISO Guide 73:2002 definition of risk is the 'effect of uncertainty on objectives'. In this definition, uncertainties include events (which may or may not happen) and uncertainties caused by ambiguity or a lack of information. It also includes both negative and positive impacts on objectives. Many definitions of risk exist in common usage, however this definition was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts.

Other

Very different approaches to risk management are taken in different fields, e.g. "Risk is the unwanted subset of a set of uncertain outcomes" (Cornelius Keating).

Risk can be seen as relating to the probability of uncertain future events. For example, according to Factor Analysis of Information Risk, risk is: the probable frequency and probable magnitude of future loss. In computer science this definition is used by The Open Group.

OHSAS (Occupational Health & Safety Advisory Services) defines risk as the combination of the probability of a hazard resulting in an adverse event, and the severity of the event.

In information security risk is defined as "the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization".

Financial risk is often defined as the unpredictable variability or volatility of returns, and this would include both potential better-than-expected and worse-than-expected returns. References to negative risk below should be read as also applying to positive impacts or opportunity (e.g. for "loss" read "loss or gain") unless the context precludes this interpretation.

The related terms "threat" and "hazard" are often used to mean something that could cause harm.

Risk is ubiquitous in all areas of life and risk management is something that we all must do, whether we are managing a major organisation or simply crossing the road. When describing risk however, it is convenient to consider that risk practitioners operate in some specific practice areas.

Economic risk

Economic risks can be manifested in lower incomes or higher expenditures than expected. The causes can be many, for instance, the hike in the price for raw materials, the lapsing of deadlines for construction of a new operating facility, disruptions in a production process, emergence of a serious competitor on the market, the loss of key personnel, the change of a political regime, or natural disasters.

Health

Risks in personal health may be reduced by primary prevention actions that decrease early causes of illness or by secondary prevention actions after a person has clearly measured clinical signs or symptoms recognised as risk factors. Tertiary prevention reduces the negative impact of an already established disease by restoring function and reducing disease-related complications. Ethical medical practice requires careful discussion of risk factors with individual patients to obtain informed consent for secondary and tertiary prevention efforts, whereas public health efforts in primary prevention require education of the entire population at risk. In each case, careful communication about risk factors, likely outcomes and certainty must distinguish between causal events that must be decreased and associated events that may be merely consequences rather than causes.

In epidemiology, the lifetime risk of an effect is the cumulative incidence, also called incidence proportion over an entire lifetime.

Health, safety, and environment

In terms of occupational health & safety management, the term 'risk' may be defined as the most likely consequence of a hazard, combined with the likelihood or probability of it occurring.

Health, safety, and environment (HSE) are separate practice areas; however, they are often linked. The reason for this is typically to do with organizational management structures; however, there are strong links among these disciplines. One of the strongest links between these is that a single risk event may have impacts in all three areas, albeit over differing timescales. For example, the uncontrolled release of radiation or a toxic chemical may have immediate short-term safety consequences, more protracted health impacts, and much longer-term environmental impacts. Events such as Chernobyl, for example, caused immediate deaths, and in the longer term, deaths from cancers, and left a lasting environmental impact leading to birth defects, impacts on wildlife, etc.

Over time, a form of risk analysis called environmental risk analysis has developed. Environmental risk analysis is a field of study that attempts to understand events and activities that bring risk to human health or the environment.

Human health and environmental risk is the likelihood of an adverse outcome (See adverse outcome pathway). As such, risk is a function of hazard and exposure. Hazard is the intrinsic danger or harm that is posed, e.g. the toxicity of a chemical compound. Exposure is the likely contact with that hazard. Therefore, the risk of even a very hazardous substance approaches zero as the exposure nears zero, given a person's (or other organism's) biological makeup, activities and location (See exposome). Another example of health risks are when certain behaviours, such as risky sexual behaviours, increase the likelihood of contracting HIV.

Social aspects

Individual risk perception and risk taking can also be influenced by social factors. A study using representative household data in the US, Italy and Austria finds evidence that risk taking levels can be influenced by the immediate social environment and by the welfare regime of a state (i.e. different support networks). The study also finds that these factors can interact. Cass Sunstein holds that risk not only is a social construct, but also a correct diagnosis is vital to understand its evolution. State should appeal to the net of experts to avoid populism or risk-neglect, which consists in biased information respecting to the probabilities of risk.

Information technology and information security

Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term was developed as a result of an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it supports.

The increasing dependencies of modern society on information and computers networks (both in private and public sectors, including military) has led to new terms like IT risk and Cyberwarfare.

Information security means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security grew out of practices and procedures of computer security.
Information security has grown to information assurance (IA) i.e. is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes.
While focused dominantly on information in digital form, the full range of IA encompasses not only digital but also analogue or physical form.
Information assurance is interdisciplinary and draws from multiple fields, including accounting, fraud examination, forensic science, management science, systems engineering, security engineering, and criminology, in addition to computer science.

So, IT risk is narrowly focused on computer security, while information security extends to risks related to other forms of information (paper, microfilm). Information assurance risks include the ones related to the consistency of the business information stored in IT systems and the information stored by other means and the relevant business consequences.

Insurance

Insurance is a risk treatment option which involves risk sharing. It can be considered as a form of contingent capital and is akin to purchasing an option in which the buyer pays a small premium to be protected from a potential large loss.

Insurance risk is often taken by insurance companies, who then bear a pool of risks including market risk, credit risk, operational risk, interest rate risk, mortality risk, longevity risks, etc.

Business and management

Means of assessing risk vary widely between professions. Indeed, they may define these professions; for example, a doctor manages medical risk, while a civil engineer manages risk of structural failure. A professional code of ethics is usually focused on risk assessment and mitigation (by the professional on behalf of client, public, society or life in general).

In the workplace, incidental and inherent risks exist. Incidental risks are those that occur naturally in the business but are not part of the core of the business. Inherent risks have a negative effect on the operating profit of the business.

In human services

The experience of many people who rely on human services for support is that 'risk' is often used as a reason to prevent them from gaining further independence or fully accessing the community, and that these services are often unnecessarily risk averse. "People's autonomy used to be compromised by institution walls, now it's too often our risk management practices", according to John O'Brien. Michael Fischer and Ewan Ferlie (2013) find that contradictions between formal risk controls and the role of subjective factors in human services (such as the role of emotions and ideology) can undermine service values, so producing tensions and even intractable and 'heated' conflict.

High reliability organisations (HROs)

A high reliability organisation (HRO) is an organisation that has succeeded in avoiding catastrophes in an environment where normal accidents can be expected due to risk factors and complexity. Most studies of HROs involve areas such as nuclear aircraft carriers, air traffic control, aerospace and nuclear power stations. Organizations such as these share in common the ability to consistently operate safely in complex, interconnected environments where a single failure in one component could lead to catastrophe. Essentially, they are organisations which appear to operate 'in spite' of an enormous range of risks.

Some of these industries manage risk in a highly quantified and enumerated way. These include the nuclear power and aircraft industries, where the possible failure of a complex series of engineered systems could result in highly undesirable outcomes. The usual measure of risk for a class of events is then: R = probability of the event × the severity of the consequence.

The total risk is then the sum of the individual class-risks; see below.

In the nuclear industry, consequence is often measured in terms of off-site radiological release, and this is often banded into five or six-decade-wide bands.

The risks are evaluated using fault tree/event tree techniques (see safety engineering). Where these risks are low, they are normally considered to be "broadly acceptable". A higher level of risk (typically up to 10 to 100 times what is considered broadly acceptable) has to be justified against the costs of reducing it further and the possible benefits that make it tolerable—these risks are described as "Tolerable if ALARP", where ALARP stands for "as low as reasonably practicable". Risks beyond this level are classified as "intolerable".

The level of risk deemed broadly acceptable has been considered by regulatory bodies in various countries—an early attempt by UK government regulator and academic F. R. Farmer used the example of hill-walking and similar activities, which have definable risks that people appear to find acceptable. This resulted in the so-called Farmer Curve of acceptable probability of an event versus its consequence.

The technique as a whole is usually referred to as probabilistic risk assessment (PRA) (or probabi