Risk Management Dictionary: Terms and Definitions

The Comprehensive Risk Management Glossary serves as an essential resource for professionals, students, and researchers in the field of risk management. This exhaustive compilation encompasses a wide array of terms and definitions spanning various aspects of risk assessment, mitigation, and control across multiple industries. From financial and operational risks to environmental and technological hazards, this glossary provides clear, concise explanations of key concepts, methodologies, and best practices. By offering a standardized lexicon, it facilitates better communication and understanding among risk management practitioners and stakeholders worldwide.

A

• Baseline Risk: The inherent risk level of a process or activity before any control measures are applied.
• "Black Swan" Event: An extremely rare occurrence that has a severe and widespread impact and is often inappropriately rationalized after the fact with the benefit of hindsight. Nassim Nicholas Taleb popularized the term in his 2007 book The Black Swan, which focuses on the extreme impact of rare and unpredictable outlier events and the human tendency to find simplistic explanations for these events retrospectively. These events are characterized by their extreme rarity, severe impact, and the widespread insistence they were obvious in hindsight. Examples include major financial crashes, natural disasters, or other events that are not predicted by standard models and are beyond normal expectations.
• Business Continuity Planning (BCP): The process of creating systems of prevention and recovery to deal with potential threats to a company.
• Business Impact Analysis (BIA): An assessment of the potential impact of disruptions to critical business functions.

C

• Catastrophic Risk: The risk of a high-impact event that can cause significant damage to an organization's operations or finances.
• Causal Analysis of Risk: The characterization of risk in the context of causality, identifying trigger events, risk events, and mitigating events.
• Compliance Risk: The risk of legal or regulatory violations.
• Contingency Plan: A predefined set of actions to be taken if a risk event occurs.
• Committee Charter: A document that defines the purposes and responsibilities of the oversight committee commonly referred to as committee Terms of Reference.
• Compliance Risk Profile: The current and prospective risk to earnings or capital arising from violations of or nonconformance with laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards.
• Control: A measure implemented to reduce or manage a risk.
• Control Assessment: A high-level review and analysis of controls relating to a process encompassing both current and missing controls.
• Control Framework: A management structure that unifies isolated risk control approaches into a collectively motivated control environment in which all control functions are focused on achieving the organizational objectives.
• Core Competency: A particular strength relative to other organizations that provides the fundamental basis for added value and strategic advantage.
• Corporate Governance: The system of rules, practices and processes by which a company is directed and controlled.
• Corporate Risk: The overall risk faced by an organization, encompassing various types of risks.

D

• Disaster Recovery Plan: A detailed plan for responding to and recovering from a disruptive event.
• Downside Risk: The potential loss in value of an investment, measured by the likelihood and magnitude of negative returns.
• Dynamic Risk: Risks that change over time and can be influenced by factors such as economic conditions, technological advances, or regulatory changes.

E

• Emerging Risk: A novel manifestation of risk or type that has not been experienced previously.
• Emerging Risk Sensing: The range of activities carried out to identify and understand evolving sources of risk that could significantly impact the organization.
• Environmental scanning: A process of systematically exploring and interpreting a broad array of macro- and micro-environments to identify trend indicators, better understand the drivers of change, and gauge their potential future impact on the organization.
• Enterprise Risk Management (ERM): A comprehensive approach to identifying, assessing, and managing risks across an entire organization. It is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
• ERM Policy Statement: Defines an organization’s approach to and method of enterprise risk management coordinated activities.
• Event: A potential occurrence that could have a positive or negative impact.
• Exposure: The extent to which an organization is subject to a risk event.

F

• Financial Risk: The possibility of losing money on an investment or business operation due to market fluctuations, credit issues, or other financial factors.
• Force Majeure: Unforeseeable circumstances that prevent fulfillment of a contract.

G

• Gap analysis: Comparison of an existing process or procedure (current state-what is) to a desired future state (what should be) in order to identify deficiencies or excesses in the existing process (what to consider).
• Governance: Processes and structures implemented to communicate, manage, and monitor organizational activities
• Governance Risk: The risk associated with the way an organization is directed, administered, and controlled.
• Governing Body: Represented by board of directors, supervisory board, board of trustees, general partners, or owner. (COSO Executive Summary 2017).
• Gross Risk: The total risk before any risk mitigation measures are applied.

H

• Hazard: A source of potential harm or damage.
• Hazard Risk: Risks that have the potential to cause harm to people, property, or the environment.
• Hazardous Event: A specific situation that could lead to a risk, essential for assessing potential consequences and the population at risk.
• Hedging: The practice of making investments or taking actions to reduce the risk of adverse price movements in an asset.

I

• Impact: The consequence or effect of a risk event if it occurs.
• Inherent Risk: The level of risk present in an activity before any controls or mitigating actions are implemented.
• Insurance: A risk management tool that transfers risk from an individual or entity to an insurance company in exchange for premiums.

K

• Key Control: A primary control that is essential for a business process; it typically occurs during the process it applies to.
• Key Indicators: Measurements that are important for organizations to monitor for potential issues; examples include key performance indicators (KPIs) and key risk indicators (KRIs)
• Key Control Indicator (KCI): A metric used by organizations to measure the effectiveness of their key controls in managing risks within business processes. KCIs provide a quantifiable measure of the performance and efficiency of controls implemented to mitigate specific risks. These indicators are often used in risk management, compliance, and audit functions to ensure that key controls are working as intended and to identify areas where controls may need enhancement. By monitoring KCIs, organizations can proactively manage risks and maintain compliance with regulatory requirements, safeguard assets, and ensure the integrity of financial reporting.
• Key Risk Indicator (KRI): A measure used to indicate the potential, presence, or level of risk.
• Key Performance Indicator (KPI): A crucial measurement tool that assesses the effectiveness of key business processes and activities against established goals.

L

• Lagging Indicators: Measures that develop parallel or subsequent to a development or trend (e.g. the number of near misses or other events).
• Leading Indicators: Measures that develop in advance or in parallel to a development or trend.
• Customer Complaints
• Definition: The number of customer complaints received over a specified period.
• Explanation: An increase in customer complaints can indicate potential issues with product quality, service delivery, or customer satisfaction, which, if not addressed promptly, may lead to reputational damage or financial losses.
• Employee Turnover Rate
• Definition: The rate at which employees leave the organization and need to be replaced within a given timeframe.
• Explanation: A high or increasing employee turnover rate can signal underlying problems such as poor workplace culture, dissatisfaction with management, or inadequate compensation, which could result in operational disruptions and increased recruitment costs.
• Likelihood: The probability that a risk event will occur.
• Liquidity Risk: The risk that an entity will not be able to meet its short-term financial obligations due to an inability to convert assets to cash quickly.
• Loss: The negative outcome of a risk event.

M

• Mitigation: Actions taken to reduce the impact or likelihood of a risk.
• Moral Hazard: The risk that a party insulated from risk may behave differently than if they were fully exposed to the risk.

N

• Net Risk: The remaining risk after all risk mitigation measures have been applied.
• Non-financial Risk: Risks that are not directly related to financial losses, such as operational, reputational, or compliance risks.

O

• Operational Risk: The risk of loss resulting from inadequate or failed internal processes, people, systems, or external events.
• Operation Risk Profile: The risk arising from the execution of an organization’s business processes and/or the risk of loss resulting from failed or inadequate internal processes, systems, people, or other entities
• Opportunity: A favourable or advantageous combination of circumstances and/or a pertinent occasion or time that, if acted upon, may improve an organization’s position.
• Opportunity Risk: The risk of missing out on potential benefits by not pursuing certain actions or investments.
• Organizational Objectives: An organization's goals serve as a benchmark for assessing risk tolerance and ensuring that management structures align with these goals.

P

• PESTLE Analysis: PESTLE is an acronym for Political, Economic, Social, Technological, Legal, and Environmental. It identifies categories utilized to analyze internal and external environments. Other forms of the acronym include "PEST" and "PESTEL."
• Potential Event: An identified risk that could negatively impact an organization. It emphasizes the importance of recognizing and planning for these events to mitigate adverse effects.
• Price Risk Profile: The risk to earning or capital arising from adverse changes in portfolio values
• Probability: The statistical chance of a risk event occurring.
• Probability of Harm: The likelihood of an identified hazard causing harm.
• Process: The principle elements of essential business functions within work groups or business units. A set of tasks completed by business continuity plan owners within a department.
• Product: An item offered in a competitive market that serves a consumer need.
• Product Liability: The liability of manufacturers, processors, distributors, and sellers of products for personal harm, injury, or damage.
• Pure Risk: Risk that only results in loss and has no opportunity for gain, such as natural disasters or accidents.

Q

• Qualitative Risk Analysis: A subjective evaluation of risks based on probability and impact.
• Quantitative Risk Analysis: A numerical analysis of the effect of risks on project objectives.
• Quantification of Risk: Articulating the size of a risk, typically through estimates or expert judgment.

R

• Reputation Risk Profile: The current and prospective risk to earnings or capital arising from negative public opinion or perception
• Residual Risk: The risk remaining after risk response strategies have been implemented.
• Resilience: The capability and capacity of an organization to reorganize under change and continually deliver its mission despite the impact of external or internally generated risks.
• Risk: The possibility of an event occurring that will have a negative impact.
• Risk Appetite: The level of risk an organization is willing to accept in pursuit of its objectives.
• Risk Assessment: The process of identifying, analyzing, and evaluating risks.
• Risk-based Regulation: Where consideration of risk is embedded in regulatory decision-making at all levels.
• Risk Champion: Any person in an organization who is a leader and influences peers regarding the value that risk management adds to the organization.
• Risk Communication: The interactive exchange of information and opinions concerning risk among stakeholders.
• Risk Culture: The beliefs, values, norms and traditions of the behaviour of individuals and groups within an organization that determine the way in which they identify, understand, discuss and act on risk(s) that an organization confronts and takes. (RIMS, Exploring Risk Appetite and Risk Tolerance, 2012)
• Risk Driver: a factor that has a strong influence on the eventual outcome or result, that is, on whether or not key objectives will be achieved.
• Risk Evaluation: The process of integrating the results of a risk assessment with policy considerations to characterize the risk and guide decisions regarding risk management.
• Risk Governance: Encompasses the oversight, practices and respective roles and responsibilities for risk within an organization’s unique corporate governance.
• Risk Management: The systematic process of identifying, assessing, and controlling risks.
• Risk Matrix: A visual tool used to assess and prioritize risks based on their likelihood and impact.
• Risk Mitigation: Actions taken to reduce the severity, impact, or likelihood of a risk.
• Risk Owner: The person responsible for managing a particular risk.
• Risk Perception: Attributions of, and recognition of, the presence of risk.
• Risk Portfolio: A broad collection, range and interdependencies of uncertainties that can affect an organization’s future.
• Risk Preference: A tendency towards making more or less risky choices according to a utility function.
• Risk Profile: The categorization and assessment of different types of risks that may affect an organization’s financial stability and operational integrity.
• Risk Register: A document that records identified risks, their severity, and the actions to be taken.
• Risk Tolerance: The acceptable variation or deviation from expected performance related to risk.
• Risk Transfer: Shifting the impact of a risk to a third party, often through insurance.
• Risk Treatment: a decision or process to modify risk (ISO 31073).
• Root Cause: Underlying or initiating risk source or driver that produces certain outcomes or changes the impact of an outcome or outcomes. Commonly used to describe the point in a chain of events or conditions where an intervention could reasonably be implemented to improve performance or prevent an undesirable outcome.
• Root Cause Analysis: A systematic approach for identifying and assessing risks, in which a defined risk is analyzed through questions such as “What can make this happen?”
• Risk Velocity: The speed at which a risk event impacts an organization.
• ISO Guide: Frameworks for planning, directing, and controlling organizational activities concerning uncertainty and risk. Notable examples include ISO Guide 31000:2018 and ISO Guide 73, which outline structured approaches for managing risks to organizational operations, assets, and reputation.

S

• Secondary Control (Redundant Control): An important control that typically occurs after the process it applies to (e.g., reporting or ongoing monitoring).
• Sensitivity Analysis: A technique for determining how different values of an independent variable impact a particular dependent variable.
• Severity of Harm: The degree of harm that a hazard can potentially cause.
• Speed of Onset: The time it takes for a risk event to become apparent after it has occurred.
• Stakeholder: Any individual or organization that is directly or indirectly involved with or affected by an organization’s decisions and activities.
• Strategic Risk: The risk associated with an organization’s strategy and strategic objectives, as well as internal or external uncertainties, whether event- or trend-driven, that impact its strategies and/or their implementation.
• Strategic Risk Assessment: a systematic and continual process for assessing the strategic risks facing an organization.
• Strategic Risk Management (SRM): a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategic execution.
• Strategic Risk Profile: The current and prospective risk to earnings or capital arising from adverse business decisions, improperly implemented decisions, or lack of responsiveness to industry changes.
• Strategy: A complete plan of action for whatever situations may arise in achieving an organization’s goals within the established time. An organization’s strategic plans will determine the actions the organization will take at any stage of the planning period as circumstances change.
• Systemic Risk: The risk of collapse or major disruption of an entire system, often used in the context of financial markets or the economy.
• Scenario Planning: A structured way for individuals or organizations to think about multiple plausible ways in which the future might unfold. The technique is used to inspire imagination and provoke “thinking the unthinkable,” thereby increasing emerging risk sensing. Alternate definition from Art of the Long View, Peter Schwartz (1996): a tool for ordering one’s perceptions about alternative future environments in which one’s decisions might be played out.
• Stakeholder: Any individual or organization that is directly or indirectly involved with or affected by an organization’s decisions and activities.
• SWOT Analysis: SWOT stands for Strengths, Weaknesses, Opportunities, and Threats. It is an analytic approach for environmental scanning that combines internal and external context with obstacles and accelerators to success in achieving objectives.

T

• Tertiary Control: A non-essential control that can still be applied effectively to a business process
• Threat: A potential source of harm or danger.
• Triage: The process of determining the priority of risk management actions based on the severity and likelihood of risks.
• 4T: The four main strategies for dealing with risk: Terminate (eliminate the risk), Treat (mitigate the risk), Transfer (shift the risk to another party), and Tolerate (accept the risk).

U

• Uncertainty: A function of the lack of information and differences in certainty between individuals that reflect differences in personal experience and beliefs.
• Uncertainty Analysis: The recognition and assessment of uncertainties in all the activities concerning the scientific process of risk assessment.
• Upside Risk: The potential for positive outcomes or gains, as opposed to losses.

V

• Value: The value created when an organization makes products or delivers services that people outside the organization find to be worthwhile, useful, convenient, effective or otherwise desirable or of some importance to the processor or user.
• Value Chain: A high-level model developed by Michael Porter that describes the process by which businesses receive raw materials, add value to the raw materials through various processes to create a finished product and then sell that end product to customers.
• Value chain analysis: A strategy tool used to analyze internal firm activities. Its goal is to recognize which activities are the most valuable (i.e., are the source of cost or differentiation advantages) to the firm and which ones could be improved to provide a competitive advantage.
• Values: An organization’s cultural beliefs and behaviours form the foundation on which it performs its work and how its people conduct themselves; they are sometimes referred to as core values.
• Vulnerability: The degree to which an organization, system, or asset is susceptible to risk or harm.

W

• Worst-case Scenario: The most severe possible outcome of a risk event, used for planning and preparedness.