When we talk about Risk, we generally are talking about the likelihood that Something Bad Happening. If I look it up in a dictionary, risk is “The possibility of suffering harm or loss; danger.”

This is especially true when talking about Risk within IT. I get asked questions like, “What’s the risk of Vulnerability X?” or “What’s the risk of allowing this protocol through a firewall?” (The answer is, “It depends.”) Even project status slides present events in separate sections labeled “Risks” and “Opportunities,” as if the two are somehow independent.

But we should always consider that Risk (likelihood of Something Bad happening) is just one side of Volatility (likelihood of Something Happening, good or bad). Never forget that without risk we cannot have reward.

Our job is not to eliminate risk. It is to identify the risks we should mitigate or avoid because they don’t provide adequate potential for reward and determine how best to transfer or accept the ones that do.