Risk Management FAQ

Your risk management & governance questions answered by experts

risk management words

What is risk appetite?

The amount and type of risk that an organization is willing to retain. Usually, an organization will produce a ‘Risk Appetite Statement’ that describes its risk appetite. Many organizations may have risk appetite statements or limits included in their policies.

What is risk capacity?

The maximum amount of risk that an organisation is technically able to assume before breaching one or more of its constraints – e.g. capital base, reputational, regulatory.

What is third-party risk management?

Third-party risk management (TPRM) focuses on identifying, analysing, and potentially reducing risks that may arise from an organisation's use of third parties. Third parties might also be referred to as contractors, suppliers, vendors, etc.

Why is risk management important?

<It maximises the chances of achieving objectives, it brings focus on what matters and it results in better decision-making. It is forward-looking and acts as an early warning indicator. Managing risk reduces uncertainty to tolerable levels. No organisation can claim to have good governance without it.

What is a risk management process?

Coordinated activities to direct and control an organisation with regard to risk. A good risk management process should consider risk identification, risk analysis, risk evaluation, and risk treatment as well as risk reporting. 

How can you integrate risk management into strategic planning?

You can integrate risk management into strategic planning by asking the question “What are the risks?” before making any strategic decision. All strategies must be agreed in full knowledge of the risks that arise as a result of choosing a particular course of action.

What is operational risk?

The risk of loss from failed / ineffective internal processes, people, systems, or external events. Examples include risks arising from technology, cyber, poor employee performance, and many more.

Is it economical to do risk management?

Yes. Studies have shown that any investment in risk management results in fewer losses and better decision-making, leading to better overall performance.

What are risk triggers?

A risk trigger is another way of saying a risk event. The trigger, or event, is usually the first in a sequence of cascading consequences that collectively describe a risk. When triggers happen they usually cause pre-planned responses to be invoked so that the effects can be mitigated.

What is a risk management plan?

This is a document that articulates an organisation’s vision for managing risk. It usually contains the scope and rationale for the initiative, the objectives and how the organisation intends to achieve these and which individuals/functions will be involved/leading the initiative.

How do you write a risk management statement?

Risk management statements are at the core of a risk management policy. They are declarations by the organisation of its commitment to formally manage the risks that arise as a result of its decisions to pursue certain objectives. They include commitments to resource the activity and to integrate it into all planning and operational processes.

What are pure risks?

Pure risks are those that only have a downside like a fire or a flood, whereas other risks may have a potential upside as well as a downside, e.g. an investment in stocks and shares.

What is enterprise risk management?

Also referred to as enterprise-wide risk management, this refers to the practice of risk management across an organisation and not just in one silo e.g. finance department. It requires a consistent method or process to ensure that risks from different operational areas can be collated into one single risk register for the organisation.

What is a risk management framework?

A risk management framework usually includes leadership, policy, resources (people and financial) defined roles and responsibilities, defined processes and plans, and clarity on how risk will be measured and reported.

What is Risk Criteria?

Risk Criteria are the terms of reference against which the level of risk will be assessed in an organisation. They differ for each organisation and depend on the priorities and objectives of the organisation.

What is the difference between Crisis and an Incident?

A crisis is a situation that is bigger and more serious compared to an incident. A crisis can pose higher uncertainty and disturb critical activities. It could arise from incidents that are left unresolved or not resolved properly. For more on this, read our blog or download a copy of our free white paper.