- The *probability of the occurrence of an event with negative consequences. The IIA defines risk as "the probability that an event or action, or inaction, may adversely affect the organization or activity under review" (quoted in Hermanson and Rittenberg, 2003, 35). Risk leads to Opportunity costs as well as traditionally understood *costs, and it can be quantified in terms of (i) likelihood of occurrence and (ii) financial or operational outcome. While some risks can be quantified only with difficulty, they can at a minimum be categorized as high, medium, or low, in terms of both likelihood of occurrence and financial or operational outcome. Risks are often interpreted as potential barriers to the achievement of the objectives or goals of an activity or organization. Typical areas of risk in modern organizations include the following: (i) strategic and *planning risks, (ii) *fraud, (iii) *credit risks, (iv) operational risks (including health and safety concerns), (v) legal matters, (vi) *regulatory risks, (vii) accounting risks, (viii) technological risks (including the *obsolescence of manufactured products), and (ix) *treasury risks. Many of these risks are not stand-alone items, as their interrelations can be complex. A study by the Institute of Internal Auditors (IIA UK, 1998, section 2.2) identified three underlying primary causes of risk: (i) the random nature of events, (ii) imperfect or incomplete knowledge, and (iii) lack of *control. See also (in addition to the dictionary’s entries that begin with the word risk) *absolute risk, *audit risk, *Control Risk Self Assessment, *credit risk, *enterprise risk management, *interest rate risk, *portfolio risk, *reputation risk, *sampling risk, *systematic risk, *uncertainty and *unsystematic risk. Further reading: Bernstein (1996); Doherty (2000); IIA UK (1998)
Auditor's dictionary. 2014.