IT risk approach for successful compliance implementation
There are a lot of definitions of IT risk, but, before let you know that every business venture is basically risky. In new business ventures and new product development, there are unknown factors and their impacts on the venture are equally unknown. The unknown factors could be favorable or unfavorable. There is a probability that one may either gain or lose. However, a loss may hurt the venture. Here are some of the definitions:
1. Risk is the probability of suffering loss.
A refinement of this definition is to include goals, gains, or opportunities in the statement. Perhaps it is implied and obvious that risks are connected with gains. Nevertheless, if risks are divorced from the associated goals, then one sees just a set of problems. A risk list should not be reduced to a problem list. Risks have a much broader role to play.
2. Risk is the probability of suffering loss while pursuing goals.
Then there is the consideration of the magnitude of harm from the risk. What will its impact be? The consequence of the risk is evaluated. If the harm is tolerable but the gains are attractive, new decision rules emerge. One may even take a risk where the occurrence probability is greater than 50 percent. The threshold is not 49 percent. Risk is seen as a weighed parameter. The weight is based on the magnitude of loss due to risk, if the risk ever occurs. Risk is defined as the combination of probability of occurrence and the magnitude of loss it causes. This combination is also known as risk exposure.
3. Risk is the combination of probability and magnitude of loss.
Measurement of risk is often a subjective process. Both the probability and loss are measured using linguistic measures such as "high," "medium," and "low." What matters is not just the risk, but its intensity, measured as risk exposure. Will the risk occur? What will the harm be? These are more significant questions than, "What is the risk?" A clarification is due at this juncture. If loss occurs because of factors within our control, it is not considered as a risk. Factors beyond our control give rise to risk.
4. Risk is the probability of suffering loss while pursuing goals due to factors that are unpredictable or beyond.
Sometimes, processes are not in control and results are not predictable or what were intended. Such losses become risks. In this case, the origin is not the criterion - predictability and control are important factors.
Summary from applied Software Risk Management by C. Ravindranath Pandian