(1) Risk is a measure of the potential inability to achieve overall program objectives within defined cost, schedule, and technical constraints and has two components:
- The probability (or likelihood) of failing to achieve a particular outcome and
- The consequences (or impact) of failing to achieve that outcome. (DAU, 2003)
A risk has a probability of occurrence that is greater than zero but less than one, a consequence of occurrence greater than zero, and a time-frame in the future. (Conrow 2008)
(2) In the domain of catastrophic risk analysis, such as for terrorist attacks or natural disasters, risk has three components:
- Threat (the probability that a specific target is attacked in a specific way during a specified period)
- Vulnerability (the probability that damage occurs given a threat), and
- Consequence (the magnitude and type of damage resulting from an attack or disaster). (Willis et al. 2005)
(1) Conrow, E. 2008. Risk Analysis for Space Systems. Paper presented at Space Systems Engineering and Risk Management Symposium, 27-29 February, 2008, Los Angeles, CA, USA.
(1) DAU. 2003. Risk Management Guide for DoD Acquisition: Fifth Edition. Ft. Belvoir, VA, USA: Defense Acquisition University (DAU)/U.S. Department of Defense, Fifth Edition, Version 2.
(2) Willis, H.H., A.R. Morral, T.K. Kelly, and J.J. Medby. 2005. Estimating Terrorism Risk. Santa Monica, CA: The RAND Corporation, MG-388.
Definition (1) or related definitions are in widespread project risk management use. The definition has been extended to include time-frame. Definition (2) or related definitions are in widespread use for catastrophic risk analysis (e.g., threat, disaster, information assurance). Definition (1) defines risk in terms of probablity of occurrence, consequence of occurrence, and time-frame; all of which are measurable. Likewise, definition (2) defines risk in terms of threat, vulnerability, and consequence of occurrence; all of which are measurable.