DHS Lexicon
2017 Edition – Revision 2 Page 737
RISK INFORMATION
1) Risk is defined as the potential for an unwanted outcome. This potential is often measured and used
to compare different future situations.
2) Risk may manifest at the strategic, operational, and tactical levels.
3) Risk is a measure of the potential inability to achieve acquisition objectives within defined cost and
schedule constraints. It has two components: the probability of failing to achieve a particular outcome;
and the consequences or impact of failing to achieve that outcome. Risk management is a process of
developing an organized, comprehensive, and iterative approach to identifying, assessing, mitigating,
and continuously tracking, controlling, and documenting risk; it is tailored to each investment.
Investments are designated “high risk” through two routes:
(1) The assignment of the category by Office of Management and Budget per its memorandum
05-23, dated August 4, 2005, and
(2) Approval of the designation by the Milestone Decision Authority after review and
discussion, leading to the designation of a higher investment level for greater DHS scrutiny
and identification of the program risk. Two risk factors, the probability of failing to achieve
a particular outcome and the consequences or impact of failing to achieve that outcome, are
used to determine the priority (high, medium, low) of a risk.
4) Risk has two components, Risk Identification and Risk Management. Risk Management is an
iterative process that includes risk management planning, risk identification, risk analysis (quantitative
and qualitative), risk response planning (mitigation plan for risks with a probability of occurrence of less
than 100, and contingency plan for risks that have occurred [probability = 100; also known as issues]),
and risk monitoring and control. Typically, high priority risks receive the most attention and should be
escalated for senior management attention based on pre-determined criteria.
5) Risk is a function of the vulnerability of one or more assets when exposed to some hazard(s) or
threat(s) that has some likelihood of occurring and, in the case of a deliberate threat, some probability of
being successful.
6) The terms hazard, risk, and threat are often used as synonyms. The term risk is not interchangeable
with the terms hazard or threat, because hazards and threats are components of risk.
7) Risk can be measured and used to compare different future situations. There are numerous ways to
break down the components of risk for analysis, but risk is most simply and commonly expressed using
the equation risk = probability x consequences.