1. Risk is a concept. It is a measure of uncertainty (probabilities). In the business process, the uncertainty involves the achievement of organizational objectives. Risk may involve positive or negative consequences, although most positive consequences are known as opportunities, and most negative consequences are called threats or risk.
  2. Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome).
  3. Risk is based on two factors;
    a. Probability of occurrence
    b. Expected loss
  4. The effects of risk and uncertainty can result in good or bad consequences. Consequences can vary in sensitivity depending on a number of factors:
    a. The assets at risk (Exposure)
    b. The type of threat
    c. The duration of consequences
    d. The effectiveness of controls in place