risk

Risk-Reward Ratio
Risk-Reward Ratio Jonathan Poland

The risk-reward ratio is a measure that compares the potential for losses to the potential for gains for a particular action. Risk management aims to optimize this ratio, taking into account an organization’s risk tolerance, rather than necessarily eliminating all risk. The goal is often to minimize the risk relative to the potential reward. The following are a few examples of a risk/reward ratio.

Investing

Based on a proprietary estimation, an investor guesses that the S&P 500 has equal chance of going up 20% or going down 5% in the next year. The investor sees the risk/reward of 1:4 as attractive and buys into the index.

Product Development

An electronics company is considering launching a line of 3D printers. The development costs are significant and the company estimates there is an equal change of net income of $3 billion or a net loss of $2 billion from the product within the first 5 years. The company views the risk reward of 2:3 as unattractive and decides not to develop 3d printers.

Marketing

A luxury hotel is considering changing their pricing strategy to add a resort fee of $33 a day. They know that such fees are unpopular and the hotel has recently experienced declining ratings on popular travel review sites. They calculate that the price change will generate revenues of $1 million dollars but that there is a 50% chance of a customer backlash that will cost $12 million dollars in lost revenue due to a lower occupancy rate. The resulting risk/reward ratio is 6:1 meaning that the price increase is a risky proposition that’s unlikely to payback.

Types of Risk/Reward Ratio

The risk-reward ratio is a simple mathematical equation: risk / reward that can be used to evaluate strategies, tactical actions and processes for their potential payback. For simplicity, the ratio is often expressed as gains and losses that are estimated to have equal probability. More accurate methods model risk as a risk matrix or probability distribution.

Risk Tolerance
Risk Tolerance Jonathan Poland

A risk is the possibility of an adverse event occurring, while a trigger is the root cause of that event. For example, if a company identifies a risk that bad weather could cause the business to close, the approach of a hurricane could be the trigger that causes that risk to materialize. Sometimes, risk triggers can be identified in advance as part of risk management efforts, but in other cases, the specific triggers for a risk may be unknown beforehand. For instance, an organization may be aware of the risk of damage to its reputation, but may not be able to predict exactly what could cause that risk to occur, such as a customer posting a viral video showing poor customer service.

Risk tolerance refers to the level of uncertainty or potential loss that an individual or organization is willing to accept. Risk management aims to maximize the potential reward for a given level of risk tolerance, rather than always trying to minimize risk. This is because taking calculated risks is often necessary in order to achieve business or personal goals.

High Risk Investor

A high risk investor who is willing to tolerate potential losses of up to 50% of their portfolio in order to maximize their potential gains.

Low Risk Investor

A low risk investor who will not tolerate any potential loss of capital is restricted to relatively safe investments such as insured savings accounts that have limited potential returns.

High Risk Startup

A startup company is run by individuals with a high tolerance for risk. Although the business may fail, it also has potential to provide unusually high returns to investors.

Mega Projects

A mega project such as a large bridge may have very low tolerance for risk due to its large budget and responsibility for public safety. Such a project requires intensive risk management processes to ensure that its low risk tolerance is met.

Professional Snowboarder

Most professional snowboarders have a high risk tolerance because it’s difficult to acquire superior snowboarding skills without taking any risks.

Risk Probability
Risk Probability Jonathan Poland

Risk probability refers to the likelihood that a particular risk will occur. It is an important element of risk analysis, as it helps organizations and individuals to understand the potential consequences of different risks and to prioritize their efforts accordingly.

There are several methods that organizations and individuals can use to estimate risk probability, including:

  1. Historical data analysis: This involves examining past events or trends to identify patterns or correlations that may help to predict the likelihood of a particular risk occurring.
  2. Expert judgment: This involves seeking the input of experts or other knowledgeable individuals who may be able to provide insights into the likelihood of a particular risk occurring.
  3. Statistical modeling: This involves using statistical techniques to analyze data and make predictions about the likelihood of a particular risk occurring.
  4. Risk assessment tools: There are a variety of risk assessment tools that organizations and individuals can use to estimate risk probability, such as risk matrices or fault tree analysis.

By using one or more of these methods, organizations and individuals can accurately estimate the likelihood of different risks occurring, and use this information to inform risk management efforts.

Understanding risk probability is an important aspect of risk management, as it helps organizations and individuals to align their risk-taking with their goals and objectives. By accurately assessing risk probability, organizations and individuals can make more informed decisions about the risks they are willing and able to take on, and allocate resources more effectively to manage and mitigate those risks. The following are common ways to model risk probability.

Qualitative Probabilities
In many cases, a risk probability is an educated guess that is modeled with a rating system such as low, medium and high probability. For example, a project team may identify risks and rate them according to the expert opinion of team members.

Quantitative Probabilities
A detailed risk analysis may allow a number to be assigned to risk probabilities. These are typically a percentage such as 60% represented as 0.6.

Discrete Probability Distributions
A single risk often has multiple probabilities associated with it. For example, a fire risk can range from a building completely burning down to minor damage. It is common to break out the probability of each level of impact as a discrete probability distribution that can be represented as a table of probabilities and impacts.

Continuous Probability Distribution
A discrete probability distribution lists out a number of probabilities and associated impacts. For example, the chance of $2000 and $1000 fire damage might be listed in a table. A continuous probability distribution is a more accurate model that provides a probability for any impact such as the probability of $1033.37 of damage. This is represented as a mathematical formula and smooth curve as opposed to a table and a bar chart.

Probability-Impact Matrix
Probability-impact analysis is a common method for estimating the costs of risks. It involves assessing the likelihood of a risk occurring and the potential impact it could have. By understanding both the probability and impact of a risk, organizations can make informed decisions about how to best manage or mitigate it.

Risk Impact
Risk Impact Jonathan Poland

Risk impact refers to the potential consequences or losses that an organization or individual may incur as a result of an identified risk. It is an essential element of risk analysis, and is typically estimated by considering the likelihood of a risk occurring, as well as the potential consequences of the risk if it does occur.

Developing an estimate of probability and impact is a standard practice in risk analysis, and it is often done using a variety of techniques, such as probability analysis, impact analysis, risk assessment tools, risk analysis techniques, and risk management software. These techniques can help organizations and individuals to understand the potential impacts of different risks and to prioritize their efforts accordingly.

Risk impact is an important consideration in risk management, as it helps organizations and individuals to understand the potential costs associated with risks and to allocate resources more effectively to manage and mitigate those risks. By accurately assessing risk impact, organizations and individuals can make more informed decisions about the risks they are willing and able to take on, and develop strategies to minimize the potential consequences of those risks. The following are common types of impact.

Health & Safety
Safety or health risks related to a location, lifestyle, occupation or activity. For example, a risk assessment for a major earthquake typically includes estimates of casualties.

Quality of Life
Nations, cities, communities, organizations and individuals may base risk assessments on quality of life factors. For example, before purchasing a house an individual may consider the risk that an adjacent industrial property will pollute the air.

Sustainability
Risks to the environment such as estimates of potential damage to an ecosystem.

Financial
Financial impacts such as lost revenue, costs and expenses. Financial impacts may be modeled as a single estimate or a probability distribution.

Time
Projects often estimate risk impact in terms of cost and time. For example, a project team may estimate the impact of technical risks in terms of delays to a schedule.

Reputation
Risk impact can be viewed in terms of social factors such as reputation. For example, an airline might assess the risk of a practice such as overbooking in terms of customer satisfaction and brand value.

Risk Evaluation
Risk Evaluation Jonathan Poland

Risk evaluation is the process of identifying and assessing the risks that an organization or individual may face. It is a fundamental business practice that involves evaluating the potential consequences and likelihood of different risks, and assessing the organization’s or individual’s ability to manage and mitigate those risks.

Risk evaluation can be applied to a wide range of activities, including investments, strategies, commercial agreements, programs, projects, and operations. It helps organizations and individuals to understand the risks that they face, and to develop strategies for managing and mitigating those risks.

There are several key steps involved in the risk evaluation process:

  1. Identifying risks: The first step in risk evaluation is to identify the risks that an organization or individual may face. This involves looking at a wide range of factors, including the organization’s operations, the industry in which it operates, and the external environment.
  2. Assessing risks: Once risks have been identified, they need to be assessed in terms of their likelihood and potential impact. This involves evaluating the likelihood of a risk occurring, as well as the potential consequences of the risk if it does occur.
  3. Prioritizing risks: After risks have been identified and assessed, they need to be prioritized based on their likelihood and potential impact. This helps the organization or individual to focus their efforts on the most critical risks and allocate resources accordingly.
  4. Developing risk management strategies: After risks have been prioritized, the organization or individual needs to develop strategies to mitigate or minimize them. This may involve implementing new processes or procedures, introducing new technology, or other measures.

Risk evaluation is an essential element of effective risk management, and it is important for organizations and individuals to regularly assess and evaluate the risks that they face in order to minimize their potential impact. The following are some basic steps in the risk evaluation process.

Identification

All stakeholders are asked to identify risk. This helps to improve acceptance of an initiative as everyone is given an opportunity to express all the things that can go wrong. Sophisticated entities may also identify risks by looking at databases of issues that occurred with similar programs, strategies or projects.

Probability & Impact

Estimating the probability and impact of each identified risk. This can be done as a rough estimate such as high, medium or low. In reality, most risks don’t have a single cost but a probability distribution of possible costs. For example, the risk of a traffic accident isn’t a single cost but a range of costs each with an associated probability estimate. Sophisticated entities such as insurance companies will model risks with probability distributions. Projects may estimate risks with a probability-impact matrix.

Moment Of Risk

Listing out the specific conditions that cause the risk to be more likely to occur. For example, the risk of a type of injury at a construction site may be associated with a particular activity or construction stage.

Treatment

Risk treatment options include acceptance, mitigation, transfer, sharing and avoidance. When a risk is mitigated or shared the probability and impact typically need to be reevaluated.

Secondary Risk

Evaluation of risks caused by treatments. For example, avoiding or mitigating a risk can result in new risks.

Residual Risk

Calculating the probability and impact of remaining risk after treatment. For example, the risk that remains after mitigation including secondary risk.

Monitoring & Review

Regularly identifying new risks that become clear as a program or project progresses. Overseeing the implementation of risk treatment and evaluating results.

Risk Capacity
Risk Capacity Jonathan Poland

Risk capacity is the maximum level of risk that an organization or individual is able to withstand in order to achieve their goals. It represents the total amount of risk exposure that is consistent with the organization’s or individual’s strategy and objectives. Risk capacity is often compared to risk tolerance, which refers to an organization or individual’s willingness to take on risk. Risk tolerance may be influenced by factors such as the organization’s or individual’s risk appetite, risk culture, and risk management capabilities.

Determining an organization’s or individual’s risk capacity involves evaluating the potential consequences of different risks and assessing the organization’s or individual’s ability to absorb or mitigate those risks. This can be done using a variety of techniques, such as risk assessment tools, risk analysis techniques, or risk management software. Understanding risk capacity is an important aspect of risk management, as it helps organizations and individuals to align their risk-taking with their goals and objectives. By accurately assessing risk capacity, organizations and individuals can make more informed decisions about the risks they are willing and able to take on, and allocate resources more effectively to manage and mitigate those risks. The following are illustrative examples of a risk capacity.

Investing

An investor is completely risk adverse but wants to make 7% per year to meet their goals for retirement. This may require the investor to increase their risk capacity beyond their risk tolerance. The exact level of risk required depends on market conditions, particularly interest rates. If interest rates are near 7%, the investor may achieve their goals with little risk. Alternatively, if interest rates are near 0% significant risk may be required to have any chance of returns exceeding 7%.

Risk Management

An investment manager is expected to outperform the market which typically requires taking on more risk than the market average. However, the investment manager is also constrained to a risk exposure level set by a risk management team. This risk exposure level can be described as the manager’s risk capacity.

Professional

A professional wants a promotion within a year to pay for changes to their lifestyle. This typically requires taking on additional responsibilities and increased visibility. If the individual is risk adverse, they may need to take on risk exposure that exceeds their risk tolerance to have a realistic chance of a timely promotion.

Projects

An IT project has zero risk tolerance, needs to be completed in a month, has a $1 million budget and a long list of requirements that are all high priority. A risk analysis shows that there is an 95% chance of project failure with a total risk exposure of $5 million meaning that the budget and schedule have a high probability of significant overruns. The business unit has a choice to accept this risk and proceed as planned with a $5 million risk capacity. Alternatively, dropping requirements, extending budget and increasing timelines will reduce risk capacity towards their risk tolerance level.

Dread Risk

A dread risk is a risk that people fear such that they are willing to pay to minimize risk exposure. When the goal is to minimize risk, risk capacity is near zero and risk exposure is driven as low as is feasible given constraints such as budget and technical limitations. For example, the public expect aircraft to be extremely safe and it is not considered acceptable to take risks with flight safety.

Unmanaged Risk

An unmanaged risk is a risk that isn’t managed despite its ability to disrupt your goals. In this case, risk capacity may be low as you aren’t expecting an unmanaged risk to disrupt your plans but actual risk exposure may be very high as nothing is done to treat risk. For example, a society that leaves known environmental risks unmanaged despite the likelihood these risks will disrupt quality of life, health and economic goals.

Risk Estimates
Risk Estimates Jonathan Poland

Risk estimates are predictions or projections of the likelihood and potential consequences of risks. They are used to inform risk management efforts, such as measuring risk exposure and identifying strategies for reducing or mitigating risks.

There are a variety of methods that organizations can use to estimate risks, including probability analysis, impact analysis, risk assessment tools, risk analysis techniques, and risk management software. These methods can help organizations to understand the potential impacts of risks, to prioritize risks based on their likelihood and potential impact, and to develop strategies for managing and mitigating risks.

Risk estimates are an important element of effective risk management, as they help organizations to better understand and manage the risks that they face. By accurately forecasting the probability and impact of risks, organizations can make more informed decisions and allocate resources more effectively to mitigate or reduce risks.

Basic

A single estimate of probability and impact based on historical comparisons and/or the opinions of subject matter experts. For example, a product development team estimates the risk that a product will fail on the market as a 20% chance of a $100,000 loss. The risk exposure calculation is an estimate of the probable cost of a risk. It isn’t an upper bound on risk.

Risk Exposure = 0.2 x 100,000 = $20,000

Probability-Impact Matrix

A single estimate of probability and impact is often overly simplistic as there may be many levels of potential impact, each with a separate probability of occurring. A more accurate risk estimate can often be obtained with a matrix of probabilities and impacts.

Probability Distribution

A more detailed risk estimate can be represented with a smooth curve that gives you a probability for every possible impact.

Parametric Estimates

Risk estimates that go beyond the educated guesses of subject matter experts to calculate risk probabilities and impacts using formulas or algorithms based on a number of parameters. Such calculations are industry and risk specific.

Reference Class Forecasting

Developing or validating risk estimates using data about historical losses that occurred with comparable strategies, operations or projects. For example, risk estimates for an infrastructure project based on a database of historical infrastructure projects of similar magnitude. If projects in your industry have a 20% failure rate and your risk estimate is 3%, you might be missing something.

Risk Exposure
Risk Exposure Jonathan Poland

Risk exposure refers to the potential costs that an organization could incur as a result of a particular risk or set of risks. This concept is used to assess the potential impact of risks on an organization’s operations, and is typically calculated for a specific strategy, program, project, or initiative.

To calculate risk exposure, organizations typically consider the probability of a risk occurring, as well as the potential impact of the risk if it does occur. This can be done using a variety of techniques, such as risk assessment tools, risk analysis techniques, or risk management software. The results of this analysis can be used to inform decision making and to develop strategies for managing and mitigating risks.

Risk exposure is an important concept in risk management, as it helps organizations to understand the potential costs associated with risks and to allocate resources accordingly. It is also useful for identifying the risks that pose the greatest threat to an organization, and for developing strategies to address these risks. By accurately assessing risk exposure, organizations can better prepare for and respond to potential risks, and minimize their impact on operations.

There are several ways that organizations can calculate risk exposure, including:

  1. Probability analysis: This involves estimating the likelihood that a particular risk will occur. This can be done using a variety of techniques, such as historical data analysis, expert judgment, or statistical modeling.
  2. Impact analysis: This involves estimating the potential consequences of a risk occurring. This can include financial impacts, as well as non-financial impacts such as damage to reputation or the environment.
  3. Risk assessment tools: There are a variety of risk assessment tools that organizations can use to assess risk exposure. These tools often use a combination of probability and impact analysis to estimate the risk exposure of a particular risk or set of risks.
  4. Risk analysis techniques: There are several risk analysis techniques that organizations can use to assess risk exposure, including risk matrices, fault tree analysis, and Monte Carlo simulations. These techniques can help organizations to understand the potential consequences of risks and to identify strategies for managing and mitigating them.
  5. Risk management software: There are a variety of risk management software tools that organizations can use to assess risk exposure. These tools often use a combination of probability and impact analysis, as well as risk assessment tools and risk analysis techniques, to calculate risk exposure.

By using one or more of these methods, organizations can accurately assess risk exposure and develop strategies for managing and mitigating risks.

Acceptable Risk
Acceptable Risk Jonathan Poland

An acceptable risk is a level of risk that is deemed to be tolerable for an individual, organization, community, or nation. These risks are determined based on their probability and potential impact, and are used as a guide for risk management efforts.

The moment of risk refers to the expected time frame in which an identified risk is likely to occur. Risks often change over time and may be associated with specific events or periods. For example, the risk associated with testing a new rocket may be concentrated at the time of launch. Identifying the moment of risk can help to mitigate or avoid it. For example, if an investor anticipates that a stock may be volatile around its quarterly earnings announcement, they may choose to sell the stock beforehand in order to reduce their risk.

It is generally not possible to completely eliminate all risks, due to factors such as cost and the potential for creating new risks in the process of reducing others. Acceptable risks provide a practical goal for risk management and are often more useful than the ideal of zero risk. The following are illustrative examples of acceptable risk.

Infrastructure

A proposed tsunami shelter is constructed to withstand a 12 meter, or 39 foot, tsunami. Models indicate that a tsunami larger than 12 meters will strike the area once every 1300 years. This risk is published to the community and accepted as part of the project approval process.

Transportation

A jet engine has a historical failure rate of 0.4 per million departures. Regulators and customers generally view this as an acceptable level of risk.

Business

A bicycle manufacturer depends on a single supplier for tires. Without a supply of these tires, production will cease and revenue will decline. The probability of a major supply disruption is forecast to be 0.6% per annum. The management of the company decide to accept this risk.

Individual

A professional skateboarder estimates a 20% chance of a broken bone in a year. They decide this is acceptable given the rewards they find in the sport.

Risk Management Techniques
Risk Management Techniques Jonathan Poland

Risk management is the process of identifying, assessing, and prioritizing risks in order to minimize their potential impact on an organization. It is an essential element of effective business planning and decision making, as it helps organizations to identify and mitigate potential negative consequences that could arise from their operations or activities. The following are common risk management techniques and considerations.

Risk Identification
Risk identification involves a creative element as it is essentially a process of imagining the future. It is also approached using analysis and systems thinking.

  • Known Unknowns
  • Reference Class Forecasting
  • Risk Intelligence
  • Risk Register
  • Systems Thinking
  • Unintended Consequences

Risk Analysis
Modeling and measuring risk.

  • Acceptable Risk
  • Cone Of Uncertainty
  • Extreme Value Theory
  • Moment Of Risk
  • Risk Capacity
  • Risk Estimates
  • Risk Evaluation
  • Risk Exposure
  • Risk Impact
  • Risk Matrix
  • Risk Probability
  • Risk Profile
  • Risk Tolerance
  • Risk Triggers
  • Risk-Reward Ratio
  • Uncertainty

Treatments
At its core, risk management is a process of treating risks. The following are types of risk treatment.

  • Antifragile
  • Resilience
  • Risk Acceptance
  • Risk Contingency
  • Risk Control
  • Risk Mitigation
  • Risk Monitoring
  • Risk Prevention
  • Risk Reduction
  • Risk Response
  • Risk Sharing

Strategies & Techniques
Techniques that go beyond the regular process of identifying and treating risk.

  • Business As Usual
  • Calculated Risk
  • Fail Well
  • Failure Is Not An Option
  • Resilience
  • Risk Communication
  • Risk Culture
  • Sanity Check

Special Practices
Variations of risk management for special categories of risk.

  • Contingency Planning
  • Disaster Preparedness
  • Dread Risks
  • Enterprise Risk Management
  • Innovation Risk Management
  • Positive Risk
  • Project Risk
  • Upside Risk

Plan
Pulling everything together as a risk management plan.

  • Contingency Plan
  • Risk Management Plan

Risks
Types of risk.

  • Business Risks
  • Competition
  • Compliance
  • Economic Risk
  • Financial Risk
  • Innovation Risk
  • Investing Risk
  • Political Risk
  • Positive Risk
  • Reputational Risk
  • Resource Risk
  • Seasonal Risk
  • Strategy Risk
  • Tactical Risk
  • Technology Risk

Failures & Challenges
Common challenges and patterns of risk management failure.

  • Cascading Failure
  • Failure Of Imagination
  • Residual Risk
  • Risk Awareness
  • Secondary Risk
  • Unknown Risks
Learn More
Audience Analysis Jonathan Poland

Audience Analysis

Audience analysis is the process of studying and understanding the characteristics of a target audience. This is often done in…

Job Orientation Jonathan Poland

Job Orientation

Job orientation, also known as onboarding, is the process of introducing new employees to the company and their role. It…

Marketing Channel Jonathan Poland

Marketing Channel

The total combined industries of consumer goods and services.

Delegation 101 Jonathan Poland

Delegation 101

Delegation is the act of assigning specific tasks and responsibilities to others, along with the necessary authority to complete them.…

What are Project Estimates? Jonathan Poland

What are Project Estimates?

Project estimates are used to predict the costs, task completion times, and resource needs for a project, often broken down…

Risk Acceptance Jonathan Poland

Risk Acceptance

Risk acceptance involves consciously deciding to take on a risk, often because the potential reward outweighs the potential negative consequences…

Risk Mitigation Jonathan Poland

Risk Mitigation

Risk mitigation is the process of identifying, analyzing, and taking steps to reduce or eliminate risks to an individual or…

Alliance Marketing Jonathan Poland

Alliance Marketing

Alliance marketing refers to a strategic partnership between two or more organizations in which they agree to collaborate on marketing…

Innovation 101 Jonathan Poland

Innovation 101

Innovation is the process of creating new ideas, products, or processes that add value to a company. This can be…

Jonathan Poland © 2025

Content Database

Search over 1,000 posts on topics across
business, finance, and capital markets.

What is Knowledge? Jonathan Poland

What is Knowledge?

Knowledge is the understanding, skills, and expertise that humans acquire through experience, education, and research. It can take many forms,…

Project Metrics Jonathan Poland

Project Metrics

Project metrics are methods for measuring the progress and performance of a project. They are typically tracked continuously in order…

Product Markets Jonathan Poland

Product Markets

A product market is a venue where buyers and sellers can exchange goods or services. Product markets can be large…

Algorithmic Accountability Jonathan Poland

Algorithmic Accountability

Algorithmic accountability is the concept of holding algorithms and the organizations that use them accountable for the decisions they make…

Sales Objections Jonathan Poland

Sales Objections

A sales objection is a concern or hesitation that a customer has about making a purchase. Identifying and addressing these…

Rule of Three Jonathan Poland

Rule of Three

The rule of three is an economic theory that posits that large, mature markets tend to be dominated by three…

Product Risk Jonathan Poland

Product Risk

Product risk refers to the potential for negative consequences that may result from the development, production, or use of a…

Strategic Communication Jonathan Poland

Strategic Communication

Strategic communication is the deliberate planning, dissemination, and use of information to influence attitudes, beliefs, and behaviors. It is a…

Magical Thinking Jonathan Poland

Magical Thinking

Introduction to Magical Thinking Magical thinking is a type of irrational belief that involves attributing causality to events that are…

Read More