The effect of uncertainty on objectives. If an outcome has little or no effect on the achievement of your objectives then it is not a risk you need to consider.
Coordinated activities to direct and control an organisation with regard to risk
A set of components that provide the foundation and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout an organisation.
A ‘yardstick’ which can be used to estimate the likelihood and consequence of a risk occurring. A set of well-defined risk criteria will ensure consistency in risk scoring in an organisation.
The amount and type of risk that an organisation is willing to retain. Usually, an organisation will produce a ‘Risk Appetite Statement’ that describes its risk appetite. Note: some internal policies will also have risk appetite statements; e.g. a HR policy may state that ‘the organisation has no appetite for fraud’.
The readiness of an organisation or stakeholder to bear risk, after risk treatment, in order to achieve its objectives.
The maximum amount of risk that an organisation is technically able to assume before breaching one or more of its constraints – e.g. capital base, reputational, regulatory.
The overall process of Risk Identification, Risk Analysis and Risk Evaluation.
The process of finding, recognising and describing risks. Many organisations conduct their risk identification exercise using a pre-defined Risk Framework – sometimes referred to as a ‘top-down approach’. Identifying risks based on experience or observation is a ‘bottom-up approach’. A combination of both methods is considered optimal.
A process for comprehending the nature of risk and determining the level of risk. Risk Owners identify controls that are in place and any missing controls in order to understand the level of current risk.
The process of comparing the results of Risk Analysis with the Risk Criteria to determine whether the risk and / or its magnitude is acceptable or tolerable or whether further risk mitigation is required.
As part of their Risk Evaluation process, many organisations use the 4T Model to categorise their decisions. The 4Ts are Treat, Tolerate, Terminate and Transfer.
The process of putting additional controls in place or modifying existing controls in order to further reduce the level of Residual Risk.
To accept a risk at its current level. When an organisation or risk owner makes the decision to not put any additional controls in place in order to further reduce a risk. This may be because the risk is already inside the Risk Appetite or because the Risk Cost is less than the Cost to Mitigate.
The decision to stop an activity (terminate the Risk Source) that is giving rise to a risk.
The decision to contractually transfer a risk to a third party – e.g. an insurance
A person or entity with the authority and accountability to manage a risk.
The chance that something will happen – also known as risk Frequency
The outcome of an event affecting objectives – also known as risk Impact
Level of Risk
The magnitude of a risk or combination of risks – expressed as the product of consequence and likelihood.
A measure that maintains and / or modifies risk
The level of risk posed before the systems and controls are considered. Other terms used include Pre-Control and Gross risk.
The level of risk remaining after risk treatment and controls are considered. Other terms used include Post-Control and Net risk.
A record of information about identified risks.
An element which alone or in combination with other elements has the potential to give rise to a risk.