A risk is a possible problem that has yet to occur. When a risk we have identified becomes a problem, we say "the risk has ''materialised''." The cost of dealing with the problem is called the ''impact''. Each risk has two variables: probability, and impact. The combination of probability and impact is known as RiskExposure: RiskExposure = probability * impact Both probability and impact vary over time. Therefore our exposure to risk is usually not a constant. Each risk has a lifespan which begins when the exposure becomes more than 0 and ends when it drops back down. Most risks are not atomic, but aggregates of many risks. A common example of an AggregateRisk is the facetious case of a meteor strike on your office. Although managing the risk of a meteor strike itself is foolish, it contains many component risks which we should manage. For example, a meteor strike would almost certainly cause a destruction of all the data held at an office. But a meteor strike is not the only risk that could cause this. There are many others with a much higher probability: a simple computer virus, theft, an office fire, and so on. Managing the risk of data loss, such as using an off-site backup, automatically accounts for this portion in all its aggregates; even a meteor strike. ---- See RiskManagement