Is there a security risk in using $variable over $HTTP_POST_VARS['variable'] with post forms?

technically, yes because HTTP_POST_VARS looks for a POST from a form, where as a GET can be shoved into the address line like so.

blah.php?variable=blah

So use HTTP_POST_VARS unless you have checking systems for the GET post vars, so no one can break in with fake GET vars.