When people talk about risk or describe risk, you get the impression it is one thing. Risk is a way of thinking about a projects rather than a single thing. There are as many risks as there are variables that can affect the outcome of your project.
In finance, market risk values are normally calculated as the sensitivity to an market data input variable.
Take for example a Credit Default Swap, the simplest Credit Derivative Product.
The Present Value of a CDS, PV = F( C1..Cn, IR1..IRk, CoF1..CoFj, FX, t )
Where C1..Cn, IR1..IRk, CoF1..CoFj, FX, t are the market data inputs (Credit Spreads, Interest Rates, Cost of Funding, Foreign Exchange Rate, the date respectively).
The basic risk (used for hedging) is calculated by bumping each market data input independently. This means that there will be a risk value for each of the market data variables, namely, each of C1..Cn, IR1..IRk, CoF1..CoFj, FX, t… Approximately 100 values.
That is before you consider scenarios and stress tests on the portfolio.
There are process such as P&L explain and P&L attribution to ensure that there are no unknown risks. They ensure that all of the P&L is explained or attributed to the known risks.
In addition, there is operational risk. Operational risk is broken down into…
- Risk of operational failure
- Legal Risk
- Reputation Risk
- Fraud Risk
- Security Risk
- Regulatory Risk
- Model Risk
- And many, many more
In finance, risk is a mindset. It is not a single value.
The next time someone talks about risk on an IT project, ask which type of risk they are talking about.