Understanding Risk Events & Risk Factors

Firstly, the difference between Risk and Risk Event.

Risk represents the potential for something to happen.
Risk Event is the actual occurrence of that potential.

Risk exists before anything happens; it is a possibility.
Risk Event occurs when the possibility becomes reality.

Risk is managed through identification, analysis, and mitigation strategies.
Risk Event is managed through response actions and contingency plans when it occurs.

Whereas Threat is something simple – communicated intent to inflict harm.

How about Risk Event vs Threat Event?

Well… Risk Event is something broader and can refer to any sort of event that impacts objectives.

Threat Event assumes malicious intent. Threat Actor executing on his previous threat.

Basically Risk Events include Threat Events.

Examples of Risk Events:

  • regulations with new requirements
  • loss of key personnel
  • natural disasters
  • networks intrusions resulting in data exfiltration
  • ransomware attack
  • abuse of positional authority

How about Risk Factors?

A Risk Factor is anything that makes a problem or negative event more likely to happen, without ensuring that it will definitely occur.

Risk – it might rain and spoil the picnic.
Risk Factor – dark clouds in the sky or a weather forecast predicting rain are risk factors. They don’t guarantee it will rain, but they make it more likely.

Quite obviously smoking is a risk factor for lung cancer. It increases the chances but doesn’t mean every smoker will get lung cancer.

In Project Management having tight deadlines is a risk factor for project delays. It increases the likelihood of missing deadlines but doesn’t guarantee it.