Risk
The effect of uncertainty on objectives. If an outcome has little or no effect on the achievement of your objectives then it is not a risk you need to consider.
Risk Management
Coordinated activities to direct and control an organisation with regard to risk.
Risk Framework
A set of components that provide the foundation and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout an organisation.
Risk Criteria
A ‘yardstick’ which can be used to estimate the likelihood and consequence of a risk occurring. A set of well-defined risk criteria will ensure consistency in risk scoring in an organisation.
Risk Appetite
The amount and type of risk that an organisation is willing to retain. Usually, an organisation will produce a ‘Risk Appetite Statement’ that describes its risk appetite. Note: some internal policies will also have risk appetite statements.
Risk Tolerance
The readiness of an organisation or stakeholder to bear risk, after risk treatment, in order to achieve its objectives.
Risk Capacity
The maximum amount of risk that an organisation is technically able to assume before breaching one or more of its constraints – e.g. capital base, reputational, regulatory.
Risk Assessment
The overall process of Risk Identification, Risk Analysis and Risk Evaluation.
Risk Identification
The process of finding, recognising and describing risks. Many organisations conduct their risk identification exercise using a pre-defined Risk Framework – sometimes referred to as a ‘top-down approach’. Identifying risks based on experience or observation is a ‘bottom-up approach’. A combination of both methods is considered optimal.
Risk Analysis
A process for comprehending the nature of risk and determining the level of risk. Risk Owners identify controls that are in place and any missing controls in order to understand the level of current risk.
Risk Evaluation
The process of comparing the results of Risk Analysis with the Risk Criteria to determine whether the risk and / or its magnitude is acceptable or tolerable or whether further risk mitigation is required.
4T Model
As part of their Risk Evaluation process, many organisations use the 4T Model to categorise their decisions. The 4Ts are Treat, Tolerate, Terminate and Transfer.
Risk Treatment
The process of putting additional controls in place or modifying existing controls in order to further reduce the level of Residual Risk.
Tolerate
To accept a risk at its current level. When an organisation or risk owner makes the decision to not put any additional controls in place in order to further reduce a risk. This may be because the risk is already inside the Risk Appetite or because the Risk Cost is less than the Cost to Mitigate.
Terminate
The decision to stop an activity (terminate the Risk Source) that is giving rise to a risk.
Transfer
The decision to contractually transfer a risk to a third party – e.g. an insurance underwriter.
Risk Owner
A person or entity with the authority and accountability to manage a risk.
Likelihood
The chance that something will happen – also known as risk Frequency.
Consequence
The outcome of an event affecting objectives – also known as risk Impact.
Level of Risk
The magnitude of a risk or combination of risks – expressed as the product of consequence and likelihood.
Control
A measure that maintains and / or modifies risk.
Inherent Risk
The level of risk posed before the systems and controls are considered. Other terms used include Pre-Control and Gross risk.
Residual Risk
The level of risk remaining after risk treatment and controls are considered. Other terms used include Post-Control and Net risk.
Risk Register
A record of information about identified risks.
Risk Source
An element which alone or in combination with other elements has the potential to give rise to a risk.