Risk Exposure vs Being Exposed to Risk
Risk exposure does not refer to the vulnerability or predisposing condition existing in an organization that is susceptible to or exposed to risk. For example, organizations that do not use relational database management systems (RDBMS) are not vulnerable to the threat of SQL injections. In other words, they are not “susceptible” or “exposed” to such risk.
Instead, risk exposure is a measure of potential loss evaluated with monetary value, a score, or scale values in terms of the likelihood, consequences, and other risk factors. Risk exposure is commonly simplified as the product of probability and magnitude of a consequence; that is, expected value or expected exposure. For example, given a risk with a possibility of 50% that might cause a financial loss of $1,000,000, the risk exposure is $500,000.