In many ways, the lack of acceptance and implementation of good risk management practices in organisations comes down to not being able to clearly define exactly what risk or risk management is. If for instance you look up 'what is risk management' in a popular search engine, you will get a staggering 222,000,000 entries! No wonder there is confusion.
To add to the problem, we have Risk Management, Enterprise Risk Management and Strategic Risk Management (and probably others being conceived as we speak). Let's look at some commonly used definitions:
Risk management (RM) is the identification, assessment, and prioritisation of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events* or to maximise the realisation of opportunities.
Enterprise risk management (ERM) in business includes the methods and processes used by organisations to manage risks and seize opportunities related to the achievement of their objectives.
Strategic risk management (SRM) can be defined as the process of identifying, assessing and managing the risk in the organisation's business strategy including taking swift action when risks are realized.
The Risk Management Standard, ISO 31000:2009 defines risk as the effect of uncertainty on objectives. Personally, I find this very useful - concise, incorporates probability / likelihood and allows for upside and downside risks.
So what should we take from all of the above? When constructing your risk management program, don't rely on finding certainty when it comes to risk definitions. Organisations should build a glossary of risk terms that suit their business and ensure they are published, communicated and most importantly, explained to teams across the organisation. Failing to do so will lead to a similar level of variations in meanings inside your organisation as there are in the outside world.
*Hubbard, Douglas (2009). The Failure of Risk Management: Why It's Broken and How to Fix It.