Risks are “bad things that might happen”. A risk is a story about something that may or may not happen, but that plausibly could happen. Elements of that story include
- a bad thing (harm, loss, annoyance, diminished value, absence of something desirable, presence of something undesirable)
- happening (or not happening, in a way that is ultimately detectable) so as to affect…
- some victim (a person; risk is meaningless unless it affects a person) because of
- some vulnerability (a weakness, or deficiency, or overoptimisation)
- in a product
- or a process
- that is triggered (even if there’s a vulnerability, it doesn’t matter if nothing triggers it)
- by some threat (a condition that causes the vulnerability to manifest)
—Michael B.
(edited to change “does” to “doesn’t”. Not proofreading induces at least one kind of risk!)