RISK MANAGEMENT REVIEWER
Business Model- Customer offering that
utilizes resources, underpinned by
resilience (CORR)
Compliance Risk- Category of risk that is
associated with the management of
mandatory obligations
Consequences- Effect on the strategic,
tactical, operational and compliance
(STOC) core processes resulting from a
risk materializing
Control- Actions to reduce the likelihood
and/or magnitude of a risk. Hazard
controls can be preventive, corrective,
directive or detective (PCDD)
Control Risk- Category of risk that is
associated with the management of
uncertainty
Corporate Social Responsibility-
Actions to take account of the impact of
activities on stakeholders (CSFSRS), as
well as the environment
Current Risk- Existing level of risk taking
into account the controls in place,
sometimes referred to as ‘net risk’ or
‘managed risk’, but most frequently as
‘residual risk
Hazard Risk- Category of risk that is
associated with the management of pure
risks or perils – the effects of hazard risks
need to be mitigated
Impact- Effect on the finances,
infrastructure, reputation and marketplace
(FIRM) when a risk materializes
Inherent Risk- Level of a risk before any
control activities are applied, sometimes
referred to as the
‘gross level’ or ‘absolute level’ of the risk.
Level of Risk- Combination of the
likelihood and impact of the risk, as
established during the risk rating stage of
risk assessment and can be determined at
either gross (inherent) or net (residual)
level
Likelihood- Evaluation or judgement
regarding the chances of a risk
materializing, sometimes established as a
‘probability’ or ‘frequency’
Magnitude- Size of the event when a risk
materializes, sometimes referred to as
‘severity’ of the event and representing
the gross (or inherent) level of the risk.
- Impact or consequence or severity
Material Failure- Failure of controls in an
organization, resulting in loss of a
magnitude that is considered important by
auditors
Operational Risk- Defined in Basel II as
‘risk of loss or gain, resulting from
inadequate or failed internal processes,
people and systems or from external
events’ and capable of impacting the
operations of the organization
Operations- Activities of the organization
designed to deliver products and services
to customers or clients
Opportunity Risk- Category of risk that is
associated with the benefits of speculative
opportunities
Project Risk- Risk that could cause doubt
about the ability to deliver a project on
time, within budget and to quality
RISK Meanings
ISO Guide 73/ISO 31000- Effect of
uncertainty on objectives. Note that an
effect may be positive, negative, or a
deviation from the expected. Also, risk is
often described by an event, a change in
circumstances or a consequence.
Institute of Risk Management (IRM)-
Risk is the combination of the probability
of an event and its consequence.
Consequences can range from positive to
negative.
Orange Book from HM Treasury-
Uncertainty of outcome, within a range of
exposure, arising from a combination of
the impact and the probability of potential
events
Institute of Internal Auditors- The
uncertainty of an event occurring that
could have an impact on the achievement
of the objectives. Risk is measured in
terms of consequences and likelihood.
-Risks can be classified according to the
nature of the attributes of the risk, such as
timescale for impact, and the nature of the
impact and/or likely magnitude of the risk.
Risk appetite- Defined in Guide 73 as
‘amount and type of risk that an
organization is willing to pursue or retain’
but definitions of risk appetite can vary
considerably
Risk assessment- Means by which
significant risks are evaluated and
prioritized by undertaking the three stages
of ‘Risk recognition’, ‘Risk rating’ and ‘Risk
ranking
Risk assurance- Means by which an
organization receives reasonable
assurance that the significant risks are
being adequately controlled
Risk attitude- Long-term view of the
organization to risk defined by the 4Cs of
comfort, concerned, cautious and critical
Risk capacity- Maximum level of risk to
which the organization should be
exposed, having regard to financial and
other resources
Risk criteria- Basis for ranking or
evaluation of the significance of a risk –
will define the risk appetite of an
organization
Risk exposure- Level of risk to which the
organization is actually exposed, either
with regard to an individual risk or the
cumulative exposure to the risks faced by
the organization
Risk management- Management
activities to deliver the most favourable
outcome and reduce the volatility or
variability of that outcome
Risk management manual-
Documentation that includes all risk
management policies, procedures,
protocols and guidelines
Risk management policy- Statement of
the overall intentions and direction of the
organization related to risk management –
often a one-page document
Risk management process- Activities
that deliver management and control of
risks – defined in this book as recognition,
rating, ranking, responding, resourcing
controls, reaction planning, reporting and
review (8Rs)
Risk management standard- Guidance
that provides a description of the risk
management process, together with
advice on establishing a suitable risk
management framework
Risk Matrix- Presentation of risk
information on a grid or graph, also
referred to as a risk map or heat map and
often used to illustrate information from
the risk register
Risk ranking- Stage in the risk
assessment process that analyses the
likelihood and impact of a risk
Risk rating- Stage in the risk assessment
process that evaluates the risk with
reference to the risk appetite or the
established risk criteria, to help select the
appropriate risk response
Risk recognition- Early stage in the risk
management process, which involves the
identification of all of the risks faced by the
organization
Risk register- Record of the significant
risks faced by an organization, the
controls currently in place, additional
controls that are required and
responsibility for control activities
Risk tolerance- Deviation from the
expected level of risk leading to
implementation of risk escalation
procedures – definitions of risk tolerance
can vary considerably
Significant risk- Risk with the ability to
impact above the established benchmark
for that type of risk
Stakeholder- Persons or groups of
persons with an interest in the activities of
the organization, summarized by CSFSRS
Strategic risk- Long-term or opportunity
risk concerned with where the
organization wants to go, how it plans to
get there and how it can ensure survival
Strategy- Statement of where the
organization wants to be in three or five
years time, often defined by strategic
objectives
Tactical risk- Medium-term, control or
uncertainty risk associated with change
and projects designed to ensure that the
organization delivers the planned strategy
Tactics- Developments, projects and
programmes of work to implement
strategy and move the organization from
where it is now to where it wants to be in
three or five years time
Target risk- The ultimate level of risk that
is desired by the organization when
planned additional controls have been
implemented
Terminate- Risk response that is
appropriate when the level of risk is not
acceptable to the organization or outside
risk appetite, also referred to as ‘avoid’ or
‘eliminate’
Tolerate- Risk response that is
appropriate when the level of risk is within
risk appetite, also referred to as ‘accept’ or
‘retain’
Transfer- Risk response for risks outside
risk appetite that the organization wishes
to transfer or share, by means of
insurance, contract or (perhaps) joint
venture
Treat- Risk response for risks that can be
(further) treated by introduction of
cost-effective (corrective) controls, also
referred to as ‘control’ or ‘reduce
Upside of Risk- Additional benefits
available to the organization by taking risk