This page has been moved to the eSSIF-Lab Framework on Github.

Short Description

A Risk is the effects that uncertainty can have on the intended realization of an objective of a party (which we call the risk owner). Uncertainty is a lack of information, understanding or knowledge of events, their consequences or likelihoods, and this may affect the results that a party expects and intends to realize so as to fulfull its objectives.

While traditionally these effects are assumed to be negative (i.e. damaging, harmful) to this party, they may also be positive. For example, if you buy a ticket in a lottery, you (should) expect to lose money (the prize of the ticket). However, there is this uncertainty, this lack of information, the effect of it would be that this intended/expected result is deviated from, and you actually win a prize. If this risk is unacceptable (e.g. if you do not know how to manage large amounts of money), then that would call the risk to be managed.

Risk is about the possible effects that uncertainty may have on the intended/expected realization of an objective of some party. In this sense, at least in theory, this means that 'risk' is an objective notion because different parties may have the same ideas about what such effects on a given objective could be. However, since an objective is owned by precisely one parties, and therefore only that party actually knows the actual meaning of that objective, in practice there is little point in drafting lists of such possible effects to make risk assessments easier.

An acceptable risk is a set of such effects that the risk owner has decided that it can, and is willing to deal with as they materialize. They need no further attention. Other risks would need attention and should be managed. Often, risks are assigned a risk level to help risk owners prioritize the risks, allowing them to manage the most important ones before the less important ones.

The owner of a risk that is associated with an objective must be the party that owns that objective, and vice versa, because ownership implies the authority to realize the objective, which in turn implies the authority to manage the associated risks. Of course, as owners are parties, a risk owner may mandate actors to execute the actions that are necessary to manage a risk, but that does not relieve the party from its ownership (and facing possibly associated consequences). In fact, the objective of mandating risk management activities may come with risks which are often overlooked.


The concept of (managing) risk enables their owners to become and stay successful. The reason is simple: nobody knows everything so there are always uncertainties, lack of information, understanding or knowledge of events, their consequences or likelihoods. The effects that such uncertainties can have on the realization of one's objectives, can be very harmful and should be mitigated. Knowing such effects enables parties to mitigate their risks. But also, such uncertainties may be joyful (e.g. as in a lottery), and it may be useful to properly prepare for the opportunities that may arise.


[1]: NRM, ISO 27000:2016