A risk is an uncertain event or condition that, if it occurs, has a positive (opportunity) or negative (threat) effect on objectives. Risk management exists to maximise opportunity and minimise threat — protecting and creating value across projects, programs and portfolios.
The Core Distinctions
Term
Means
Not to be confused with
Risk
Uncertain — may happen (future)
Issue — has already occurred (now)
Threat
Risk with a negative effect
Opportunity — risk with a positive effect
Individual risk
One discrete event/condition
Overall risk — aggregate effect of all uncertainty
Secondary risk
Created by a response
Residual risk — left after a response
How Much Risk? — The Appetite Stack
Risk appetite — the amount of risk an organisation is willing to pursue (board-level).
Risk tolerance — the acceptable variation around objectives.
Risk threshold — the measurable trigger point where action is required.
Risk capacity — the maximum risk the organisation can absorb.
Best information — explicit about uncertainty & bias.
Transparent & inclusive communication.
Iterative & responsive to change.
Clear ownership & accountability.
Risk-aware culture — everyone, continuously.
Exam Concepts
Risk is both positive & negative — opportunities are risks.
Risk = future & uncertain; an issue is certain / already here.
Appetite ≠ tolerance ≠ threshold — know each.
Secondary vs residual risk; individual vs overall risk.
Executive View
Risk appetite is a board-level strategic statement.
Risk-adjusted decisions beat gut calls — fund uncertainty deliberately.
A risk-aware culture surfaces bad news early.
Industry Example
Defence
Threat: a single-source forging supplier could slip 12 weeks. Opportunity: a new alloy could cut hull weight and win follow-on work. Both are logged, owned and managed.