According to the ISO 31000 (2009) standard, risk is defined as the "effect of uncertainty on objectives". Both positive and negative impacts on objectives are included, and uncertainties include events which may or may not happen, but the uncertainties may also be caused by ambiguity or a lack of information.

Whereas the standard definition of risk found in dictionaries focus almost entirely on negative impacts, as in:

  • risk - the possibility of loss or injury, or
  • risk - someone or something that creates or suggests a hazard

When thinking of risk in a business setting, both these approaches may be useful depending on the situation. A very clear example is the case of insurance, where risk is treated as a negative impact. Another, equally clear example, is the case of asset returns where risk instead is treated as the uncertainty of future returns.


If you are exposed to risk, it is natural to want to manage that exposure in some way. But how you go about manage that risk differes depending on the field you are in, as does how you categorise what risks there are.

Here, we are mainly interested in risks that in some way has an effect on a company's balance sheet, and as a result of that the company's ability to generate profits. Risk categories that are of natural interests to us are thus:

  • Market risk
  • Insurance risk
  • Counterparty default risk

But given various regulatory efforts by the EU and other states, we also have to include the following categories, since these will have an effect on the so called capital requirement, and thus the balance sheet of the regulated entity:

  • Operational risk 
  • Concentration risk

The practice of managing risks is commonly known as risk management.