Why Risk Isn’t Just About Probability: Defining Risk by What We Value

The word "risk" is everywhere – but how should risk be defined?  Many definitions of risk focus on probability, with the implication that risk is an absolute value.  Yet, as Professor Terje Aven from the University of Stavanger, Norway, argues, risk is highly subjective.  In this article, we will explore Dr Aven’s definition of risk and the role of stakeholder values in determining risk.

Terje Aven’s Definition of Risk

Professor Terje Aven from the University of Stavanger, Norway, provides the following non-mathematic formula for defining risk:

Risk = (Consequences, Uncertainty)

This deceptively simple equation is powerful. It shifts our focus away from abstract probabilities and asks: What could happen? How much would it matter? And to whom? In this article, we explore how Aven’s definition reshapes our understanding of risk, emphasizing the crucial role that values play in how we perceive, prioritize, and manage uncertain outcomes.

Aven (2018) argues, what constitutes a risk depends on what we value.Effective risk assessment, therefore, must account for different stakeholder perspectives, not just technical data.

Risk is Subjective

To explore the role of subjective nature of risk, consider two imaginary individuals, Emma and Oliva, considering the risk of rain on a Saturday in June.  Both live in the same area, where the weatherman announces a 40% chance of rain.  They both face the same uncertainty about if it will rain or not.  Does this mean that the risk of rain is, for both Emma and Oliva, the same?

Let us explore some more about their plans.  Emma is getting married on Saturday, with an outdoor reception following the ceremony.  Oliva, on the other hand,hopes to finish reading a book and do the laundry.  The chance of rain on Saturday is the same for both Emma and Oliva, but the consequences is significantly different.  For Emma, rain may ruin the plans for her wedding.  In other words,the consequences are great.  For Oliva,the consequences of rain are minor. Perhaps Oliva would not be able to air dry the laundry, but overall, the consequences for rain are significantly less than those for Emma.

The probability of rain is identical, but the value each stakeholder places on the event are different.

Risk, then, is not an objective truth but a subjective judgment shaped by our goals, priorities, and beliefs. The same risk may be assessed as high or low depending on who you ask. For a government agency, a cyber security breach may be considered a national threat; for a small store, it might be viewed as a temporary setback.

Consequences Over Probability

Consequences can be much more important than probability when determining what is a risk.  A 1% chance of system failure might be acceptable for a consumer gadget but intolerable in a nuclear reactor.

The same event—a product delay, a technical malfunction, a financial loss—can carry vastly different consequences depending on timing, expectations,and affected parties. A shipping delay during the holiday season may lead to lost revenue and customer dissatisfaction; the same delay in February might go unnoticed.

Consequently, risk evaluators must decide which outcomes matter most, to whom, and why. This turns risk assessment into a social and ethical process. Whose interests are being protected? Whose losses are deemed acceptable?

Risk Prioritization Is Value Prioritization

Organizations constantly make trade-offs. A city council deciding whether to fund flood barriers or upgrade bridges is making a decision about risk—and value. So is a business investing in cybersecurity versus customer support, or a family choosing between buying insurance or saving for college.

Every prioritization reflects implicit or explicit judgments about which consequences are most important. And these judgments vary widely across contexts. In a global company, risk appetite might differ between departments,regions, or leadership levels.

This idea of "risk appetite" refers to the amount of risk an organization or individual is willing to accept in pursuit of goals. The lower the appetite, the more resources are typically spent mitigating or avoiding that risk. But even within low-tolerance environments, not all risks can be treated equally. Choices must be made—and these choices reflect our values.

Opportunity-Loss Risk: The Risks of Inaction

Aven’s framework also reminds us that risk is not always about harm. Risk can also involve lost opportunity.

Imagine choosing between two job offers. Both are good, but different. Whichever you pick, you lose out on the benefits of the other. That’s opportunity-loss risk. Or consider choosing not to invest in a new technology because of the potential for bugs—only to fall behind competitors who take the plunge.

Inaction can be as risky as action. As Leveson (2011) notes, risks can stem from both doing something and doing nothing. The assumption that "playing it safe" is always safer may itself be a risk.

Positive Risk

Counterintuitively, Aven and others' definition of risk allows for positive risk - or the risk of something happening in a favorable way. Usually, this type of risk is described by another word, such as opportunity. However, by many definitions, risk can be positive as well as negative.

To what degree a risk is positive or negative can vary over time. Consider a farmer who grows wheat. The impact of rain of the wheat crop (the consequence of rain) changes depending on the growing stage of the wheat. At the beginning of the plant's life water is needed to sprout, yet too much water at these early stages can cause waterlogging and damage. Between jointing and flowering stages of wheat growth, heavier rain is beneficial. Yet when the wheat is ready to be harvested, at least a week of no rain is ideal - as the plants need to be dry to be harvested.

For the farmer, the consequences of rain change. At times additional rain would be a negative risk with harmful outcomes. At other times, additional rain would be a positive risk, or benefit.

Similarly, what is considered a risk and what is considered an opportunity (or positive risk), varies over time for companies, teams, and individuals. After all, chance and certainty of an event are not the only things which change.  The affects of that event also change.

Complexity and the Limits of Prediction

In simple systems, risk is relatively easy to model. But in complex,interconnected systems—like modern economies, digital networks, or global supply chains—predicting outcomes is far more difficult.

This is because risks in such systems often emerge from interactions among subsystems (Leveson, 2011; Hollnagel et al., 2015). A small change in one part of the system—a coding error, a political shift, a supplier delay—can ripple outward in unpredictable ways. Risk assessment in these contexts requires more than equations; it requires judgment, imagination, and awareness of context.

Moreover, systems are not static. As Dekker (2011) describes, systems often undergo drift over time, moving away from their designed or expected state. This drift can make risk assessments quickly outdated if they don't account for how real-world behavior diverges from formal protocols.

Toward Value-Centered Risk Management

Aven’s model invites a more holistic, inclusive, and reflective approach to risk. If risk equals consequence plus uncertainty, then risk management must start by asking: What outcomes do we care about most?

This has real-world implications:

1. Stakeholder engagement: Include all relevant voices in defining and evaluating risk.
2. Transparent trade-offs: Acknowledge that prioritizing one risk often means accepting another.
3. Flexible tools: Use methods that accommodate qualitative and subjective judgments.
4. Continuous reflection: Revisit assumptions and values as systems and contexts evolve.

Conclusion: Risk Is What We Care About

By framing risk as a function of consequences and uncertainty, Aven(2018) shows that managing risk is not just about calculations—it's about care.It’s about what we choose to protect, what we are willing to lose, and what we are striving for.

Whether you're a policymaker, an engineer, a business leader, or a concerned citizen, remember: Risk isn't just about probability. It's about people, priorities, and purpose. The next time someone labels something as"high-risk," ask: For whom? And why does it matter?

‍

References

Aven, T. (2018). Improving risk characterisations in practicalsituations. Risk Analysis, 38(8), 1645–1654.

Bernstein, P. L. (1998). Against the Gods: The Remarkable Story ofRisk. Wiley.

Dekker, S. (2011). Drift into failure: From hunting broken componentsto understanding complex systems. CRC Press.

Hollnagel, E., Wears, R. L., & Braithwaite, J. (2015). From Safety-Ito Safety-II: A white paper. The Resilient Health Care Net.

Leveson, N. (2011). Engineering a safer world: Systems thinkingapplied to safety. MIT Press.

‍