WHAT EXACTLY DO WE MEAN BY "RISK?"
Risk means different things to different people. Both upside and downside can be included. David Hillson, known as the Risk Doctor, has simplified the definition of risk by calling risk "uncertainty that matters.” More complex definitions exist. For example, the international ISO Risk Management Standard (ISO 31000:2009) defines risk as an effect of uncertainty on objectives. This effect—a deviation from the expected— can be positive or negative. Uncertainty, again, is defined in the standard as "the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.” A more basic definition would be to say that uncertainty means lack of certainty.
The 2008 edition of the US-based PMI Guide to the Project Management Body of Knowledge defines risk as an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives. The Risk Management Standard of the major risk management organizations in the UK— the Institute of Risk Management (IRM), the Association of Insurance and Risk Managers (AIRMIC) and the National Forum for Risk Management in the Public Sector (ALARM)— defines risk slightly differently as the combination of the probability of an event and its consequences, stating that in all types of undertakings, there is the potential for events and consequences that constitute opportunities for benefit (upside) or threats to success (downside).
In this book, the word "risk” is used for the downside: the possibility that something unpleasant or unwelcome will happen, leading to unfavorable outcomes. What the above definitions see as "upside risk,” we call "opportunity.” In this way, we distinguish between risk (or threat) and opportunity: we use the word risk (or threat) for uncertain events that could affect objectives adversely, while we use the word opportunity for uncertain events that could affect objectives beneficially.
-  See, for instance, Hillson, D. and Murray-Webster, R. (2007) Understanding andManaging Risk Attitude, 2nd edn. Farnham: Gower Publishing, p. 5, and briefings andarticles available at http://www.risk-doctor.com.
-  PMBOK® Guide (2008) 4th edn. Newtown Square, PA: Project ManagementInstitute (PMI).
-  A Risk Management Standard (2002) IRM, AIRMIC and ALARM, available athttp://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf.