Risk vs. Risk Factor — Let’s Not Get It Twisted
One of the most common mistakes I see — across teams, in boardrooms, and even in risk registers — is confusing risk with risk factor. These two terms get thrown around as if they mean the same thing, but they don’t. And when we don’t distinguish between the two, our entire risk management effort gets blurry and shallow.
So let’s clear this up.
A risk is the actual bad thing that could happen — the event or incident that would disrupt your business, cause financial loss, damage your reputation, or trigger regulatory issues.
A risk factor, on the other hand, is something that increases the chance of that bad thing happening. It’s the condition or weakness that creates the opportunity for risk to materialize.
Let’s make this real.
If your users are still using weak passwords, that’s a risk factor. If someone exploits that and gains unauthorized access to critical systems — that’s the risk.
If your infrastructure is running on outdated software, that’s a risk factor. If an attacker leverages that outdated software to plant ransomware — that’s the risk.
Now here's the part many people miss:
You assess and report on risks (the likelihood and the impact).
You manage and reduce risk factors (conditions that can influence the likelihood).
That distinction matters.
If your board risk dashboard is just a list of weak practices, missing controls, or audit findings (i.e. risk factors) — you’re not showing the real risks. And if your ops team is spending all their time measuring “top risks” without drilling into what’s making those risks likely in the first place, then you're just spinning wheels.
You need both — but for different purposes.
Risks help with decision-making, prioritization, and governance.
Risk factors help with prevention, controls, and day-to-day risk reduction.
When we confuse the two, we make the mistake of “accepting” risk when what we’re really doing is ignoring risk factors. And that’s dangerous — because the risk hasn’t changed, we’ve just looked away from the things that make it more likely.
So, the next time you're reviewing a risk register, ask this:
Are we describing the actual risks, or are we just listing risk factors and calling them risks?
That one clarification changes how you build your register, how you explain cyber risk to leadership, and how you prioritize resources across the team.
Board and CEO-Level Smart Questions
Here are two simple but powerful questions you can ask your cybersecurity or risk team:
Are we mistaking risk factors for actual risks in our reports — and what are the implications of that?
What are the top risk factors we’re currently tolerating, and what’s stopping us from addressing them before they turn into real incidents?
Good oversight isn’t just about knowing what could go wrong. It’s about understanding the conditions that make those things more likely — and acting on them early.
At the end of the day, cyber resilience isn’t built by reacting to risks. It’s built by managing the factors that allow those risks to happen in the first place.
That’s all for this week!
Cheers,
Siva