The simplest definition of risk is “the effect of uncertainty on objectivesISO 31000”.

Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate eventsHubbard, Douglas (2009). The Failure of Risk Management: Why It’s Broken and How to Fix It. John Wiley & Sons. p. 46. or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.Antunes, Ricardo; Gonzalez, Vicente (3 March 2015). A Production Model for Construction: A Theoretical Framework”. Buildings 5 (1): 209–228.

You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk.
Kevin Mitnick

Risk Categories

For the most part risks can be characterized as being in one of three categoriesMark Davis, Identifying And Managing Business Risks, www.investopedia.com:

Preventable Risks

Preventable risks are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes. To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly. But in general, companies should seek to eliminate these risks since they receive no strategic benefits from taking them on.

Strategy Risks

A company voluntarily accepts some risk in order to generate superior returns from its strategy. […] Strategy risks are quite different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains.

External Risks

External risks arise from events outside the company and are beyond its influence or control.

Risk Types

While there are innumerable types of risk, the four main typesRobert S. Kaplan, Anette Mikes, (June 2012), Managing Risks: A New Framework, Harvard Business Review. in which ProActive Risk Management (PARM) specializes are described in the following list:

Physical Risks

Physical risks include risks associated with buildings and infrastructure. The risk of fires, explosions, inventory storage and or handling are all considered to be physical risks. Hazardous material, spills, and accidents would also fall into this type. For the most part, these risks are preventable.

Environmental Risks

Natural disasters, proximity to potentially dangerous facilities and crime levels in the neighborhood all constitute environmental risks. To the extent that an enterprise has the freedom to choose the environment within which it works some of these risks are preventable, others may be strategic and the rest external.

Human Risks

Alcoholism, drug abuse, behavioral problem, criminal records and financial problems are all different types of human risks. This type also includes embezzlement, theft, and fraud. In general, all of these risks can be considered to be preventable.

Technology Risks

The newest and most rapidly growing risk category is that of technology. Hacking, identity theft, data breach and reputation damaging postings on social media are the most common of this type of risk. Threats of this type that originate within the organization should be considered to be preventable but the majority of the time they will appear from outside the enterprise and are therefore classified as external.

Managing Risk

Despite all the rhetoric and money invested in it, risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. The problem with this type of thinking is that rules-based risk management will not diminish either the likelihood or the impact of all risks. Compliance does not guarantee security.

Risks that fall into the Preventable category are best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms.

Risks that are classified as Strategy type risks cannot be managed through a rules-based control model. Instead, a risk-management system is needed that is designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur. Such a system would not stop companies from undertaking risky ventures; to the contrary, it would enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management programs.

External risks present the most challenges. By their nature a company cannot control or influence, let alone prevent, them. Managing these risks must focus on first their identification then their impact mitigation.