Ever wondered why there seem to be so many vague or contradictory definitions for the words “hazard” and “threat” and “risk”? One big reason is that they’re often used interchangeably in the popular press – and even among some security practitioners.
In fact each does have a distinct (if sometimes overlapping) meaning in the risk management lexicon. Since these are fundamental terms that should be commonly understood by everyone in the security risk profession, we thought it would be worth taking a moment to clarify our definitions.
- Hazard: As in many organizations in the risk community, we use the term “hazard” to refer to any condition or event triggered by nature, or intentionally or accidentally by humans, which could result in disruption, harm or loss. Typically it is a descriptive word or phrase, like “hurricane” or “truck bombing.”
- Threat (Likelihood): On its own the word “threat” is sometimes used to describe a man-made hazard, such as a chemical weapons attack, for which variables like intent and capability can be gauged. More often, though, it is shorthand for “threat likelihood,” which describes the probability of any type of adverse event occurring at a given location during a given time frame. Likelihood is routinely expressed in numerical terms – say, the total number of hurricanes expected this year in South Florida. We typically use “likelihood” as short-hand for “threat likelihood.”
- Risk: “Risk” is a more complex term that incorporates multiple elements of probability, including likelihood. It is defined as the aggregate potential consequences of a hazard event, for instance the expected human casualties and monetary losses resulting from a tsunami.
Despite there being literally hundreds of proprietary methodologies in use today for assessing risk, most calculations rely on some combination of the same three variables:
- The likelihood of a hazard event;
- The vulnerability of assets to that event; and
- The adverse impact of the event.
In many risk calculations, moreover, vulnerability and impact are fused into a single metric called “consequence,” which can be measured in units like fatalities. From this more condensed version comes the widely used formula: Risk = Likelihood x Consequence.
––––––––––––––––
Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.
Comments and Discussion
Join The Conversation +I’m not sure if this clarifies the issue, of just adds another set of definitions to the mix.
In some risk management “cultures” threats are intentional events while hazards are unintentional (accidents) or natural events. My guess is that this is done for the benefit of those who only spend a fraction of their workday performing risk management functions—it’s just a wee bit easier to visualize things. The side benefit is that if the risk analysis process approaches human caused events differently it is possible to bin the analysis processes as either suitable for threats or suitable for hazards.
And in some calculations “consequence” is the fusion of “criticality” and “impact”.
…All of which demonstrates the continuing tension between proponents of different methodologies, and the difficulty in balancing discussions of methodology and analysis. Those tensions, in turn, highlight the chronic difficulties with risk communication.
Join The Conversation