Risk is the effect of uncertainty on objectives. This definition of risk comes from ISO 31000, the standard from the International Standards Organization. ISO 31000 is the foundation of this legal risk training class.

This definition of risk is deceptively simple. That is part of its power. ISO 31000 is designed to cover any type of risk, for any size organization in any industry. We will adapt it to legal risk.

When we do not know the implications of an event, actual or hypothetical, for one of our objectives, we are on the hunt for risk. We want to measure the “effect” of that uncertainty.

We are uncertain about the effect of an asteroid strike on the earth for our business. Once we measure the risk, however, we can decide to ignore it because the risk is so small, or because there is nothing we can do about the risk of an asteroid strike.

Risk of Asteroid Hitting Earth
Risk of Asteroid Hitting Earth

Risk is ultimately about uncertainty. We are uncertain about whether an event will happen and about the ramifications of that event.

Risk is a measurement of the degree of our uncertainty. Legal professionals are often asked “What is the chance we will lose a lawsuit?” or “How much are the legal damages?” Legal professionals have a strong aversion to answering these questions. We often cannot know the answers. In the face of that uncertainty, we refuse to answer the questions.

This definition of risk creates an opportunity to measure the uncertainty and to give a better answer.

Uncertainty concerns events

We are uncertain in the abstract. We are uncertain about whether a thing will happen or about the implications of a thing. The “things” we worry about are “events” in risk parlance. An event is “occurrence or change of a particular set of circumstances.”1

The asteroid strike is an obvious event. A process of national deregulation of an industry, however, is less obviously an “event.” That deregulation process is a change in a set of circumstances.

Events can be actual or hypothetical, which means that we can be uncertain about the chances that an event will occur for hypothetical analysis or we can be uncertain about the effects of an event for actual events. Of course, we can and probably will be uncertain about both the likelihood and consequences for both hypothetical and actual events.

Events affect objectives

Risk event analysis is not an abstract exercise. Yes, an asteroid strike might have implications for food production in Argentina, but that is not relevant to our British manufacturing plant.

When we try to measure the risk of an event, we link the event to our objectives. We need to understand how the event affects our objectives, not someone else’s.

This means that we need to list the organizational objectives. In later sections we will explore how to identify organizational objectives. For the time being, any level or part of your organization can have objectives. One of the benefits of ISO 31000 is that it is scalable for any size organization or part of an organization.

Objectives should be specific. They do not have to be financial or even numerical. Just to illustrate the point briefly, here are some sample objectives:

  • Grow revenue by 15% year over year,
  • Launch brand new product line,
  • Hire 5 new team members,
  • Reduce expenses by 10%, and

Acquire a new company.We will explore organizational objectives in more detail later. For now, the important point is that we analyze risk events in terms of their effect on objectives.

Effects of events have likelihood and consequences

To refine our analysis of risk events we break them down into their likelihood and consequences. Earlier we said that events themselves can have likelihood and consequences. That is still correct. Many events generate multiple effects, each of which has its own likelihood and consequences.

For example, if we ship goods by sea, the risk event is that the ship encounters a large storm during transit.

Several effects of that storm need analysis:

  • The effect of the ship taking on water,
  • The effect of delay in arrival, and
  • The effect of damage to the goods.

Each of these effects has its own likelihood and consequences. Through risk analysis we can measure those risks, and then manage them.


Likelihood means simply: “chance of something happening.” 2 ISO 31000 elaborates this definition, saying:

In risk management terminology, the word “likelihood” is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period). 3

We use “likelihood” instead of probability intentionally. Probability is often used informally in discussions of risk. Probability, however, also has a statistical meaning in risk management. Probability quantifies a risk in mathematical terms.

While ISO 31000 does not exclude the term probability, it does encourage use of likelihood instead. For legal risk analysis, likelihood is a better term than probability. Very few organizations have sufficient internal data and statistical models to estimate the mathematical probability of a lawsuit or contract issue.

This is one of the reasons legal professionals disdain the question, “What are the chances we will get sued or win at trial?” They interpret the question in mathematical terms. There is no answer.

However, using likelihood allows the legal professional to provide a clear answer without mathematical precision. We will learn how to do provide these answers later.


A consequence is more straight forward. A consequence is an outcome that relates to an objective. 4

The analysis of consequences can include derivative or cumulative effects.

The effects might occur suddenly or over time. They might be quantifiable such as a judgment for a certain amount or qualitative such as a loss of reputation.

Likelihood and consequences constitute risk

Together, likelihood and consequences enable us to measure risk. We will pair these concepts in the context of legal risk so that organizations to adapt and respond to a wide range of legal risks.

Risk measures uncertainty in terms of likelihood and consequences

  • Risk measures uncertainty
  • Uncertainty concerns events
  • Events affect objectives
  • Effects of events have likelihood and consequences
  • Likelihood and consequences constitute risk

ISO 31000:2018 3.5 event. ↩︎

ISO 31000:2018 3.7 likelihood. ↩︎

ISO 31000:2018 3.7 likelihood. ↩︎

ISO 31000:2018 3.6 consequence. ↩︎