Risk Glossary 

Annual Internal Risk Audit: A detailed assessment of risk conducted by an internal auditor or risk manager employing audit standards and using a formalized approach to select categories of risk for inclusion in the annual audit plan. Audit Cycle: The duration of time between scheduled risk audits for a business enterprise. For example:
   

Every year for a high-risk enterprise Every other year for an above-average risk enterprise Every four years for a moderate-risk enterprise Every six years for a low-risk enterprise

Audit History: The scores or ratings of risk over time resulting from a detailed cyclical measurement of risk using auditing standards. Chief Risk Officer (CRO): A senior manager with day-to-day oversight of enterprise risk management. Cost-of-Risk: The financial impact to an organization from undertaking activities with an uncertain outcome, including such factors as the cost of managing those risks, cost of transferring potential liabilities, cost of sustaining uninsured or uninsurable losses, and cost of loss of use. Common determinants of Cost-of-Risk and impacts to Risk Ratings are:
     

Frequency of occurrence Severity of potential loss Cost to mitigate Degree of uncertainty Financial value at risk Benefit potentially lost

Enterprise Risk Management (ERM): An integrated approach to assessing, analyzing and managing all risks that threaten profitability and survivability of an enterprise. The purpose of ERM is to understand, prioritize, and develop action plans to maximize benefits and mitigate risks of greatest concern. The ERM framework enables management to work collaboratively to identify, assess, and manage existing and future risks that are integrated across the enterprise in various ways, also known as business, holistic, strategic, or integrated risk management. ERM:
      

Is central to an enterprise’s strategic planning and management Is focused on identifying and treating risks of all types Adds maximum sustainable value to all activities Increases probability of success and minimizes probability of failure Is continuous; integrated with plan implementation Is integrated with organizational culture and led by senior management Assigns responsibility of risk control throughout the enterprise at each position

Ian Dunn   

9 October 2013 

acceptance of risk controls. Profitability: The ability of an enterprise to generate revenues in excess of the costs incurred to produce those revenues. Metrics: The means in which to measure the effectiveness and/or success of risk mitigation techniques. Assign those responsible to respond to risk and establish deadlines Risk Control – Implement a solution to reduce or transfer risk Risk Monitoring – Observe implemented risk controls and report the results Failure Risk: The probability that an enterprise will experience a business interruption or cease to operate. and there can be a range of possible impacts associated with any single activity or event. including risk management philosophy. often measured by a rate of profit or rate of return on investment. risk appetite. Interpretation: Study of quantitative risk data to associate results with overall impact to an enterprise Likelihood: Probability. Opportunity: The possibility that a condition will arise or event will occur that will have a positive impact on achievement of the enterprise’s objectives. and the overall environment in which the enterprise operates.Risk Glossary  Enterprise Risk Management Framework (ERM Framework): A structured process for managing risk of an enterprise in iterative steps:      Risk Identification – Identify risk factors Risk Analysis – Analyze risk impact o Assessment – Measure the risk levels associated with risk factors o Quantification – Turn qualitative risk data into quantitative data o Interpretation – Interpret the quantitative data o Report – Compile the data and recommend action Risk Response – Establish an action plan. Probability: Likelihood. possibility of a condition or event occurring. Loss Control: The technique of minimizing the severity of loss once a condition arises or event occurs to cause a negative impact. Ian Dunn    2  9 October 2013  . possibility of a condition or event occurring. Maximum Profitability: The highest level of profitability achievable by an enterprise under ideal conditions. Impact: Effect or result of an activity or event. Inherent Risk: The risk to the enterprise in the absence of any actions management might take to otherwise alter the likelihood the risk could result in a negative impact. Impact can be positive or negative relative to the objectives of the enterprise. Internal Environment: Encompasses the culture of an enterprise and sets the basis for how risks are viewed and managed.

Risk Analysis: Describing and assessing individual risks. Ian Dunn    3  9 October 2013  . Risk: The possibility of suffering loss or harm Risk Acceptance: Occurs when no action is taken to prevent the likelihood of harm to an enterprise as a result of a known condition or event. policies. Risk Evaluation: Reviewing the results of a risk analysis. and deciding whether to accept and manage them. a combination of the two. Risk Avoidance: Avoiding the practices giving rise to risk. practices and safeguards designed to minimize the frequency or severity of conditions or events that increase risk.Risk Glossary  Profitability Risk: The likelihood that an enterprise will not achieve its Maximum Profitability. Strategic: Exposure to uncertainty related to long-term policy directions of the enterprise—the “big picture” risks. damage to property or from tortious acts. Quantification: Conversion of qualitative risk data into quantitative data Residual Risk: The risk that remains after an enterprise has responded to risk by deploying risk controls. The broad amount of risk an enterprise will accept in pursuit of its objectives. or eliminate the risks altogether. and developing a corresponding risk profile and recommended mitigation techniques. estimating the impact of each on the enterprise. Risk Assessment Tools: The instruments designed to assess and evaluate risks in order to make more informed decisions. Risk Control: The technique for implementing risk controls to minimize the frequency or severity of conditions or events that threaten the objectives of the enterprise Risk Controls: Systems. Risk Center: A division. Risk Appetite: An organization’s tolerance for risk. typically includes the perils covered by insurance. transfer them by means such as insurance. Risk Components:     Financial: Exposure to uncertainty regarding the management and control of the availability and cost of commodities and credit. Risk Assessment: Determining the likelihood that an identified risk will prevent an enterprise from attaining its objectives. Hazard: Exposure to loss arising from bodily injury. Operational: Exposure to uncertainty related to day-to-day business activities. department or group having clear boundaries and risk exposure. procedures. determining the significance of the risk exposures.

accept..e. Risk Mapping: The visual representation of risks which have been identified through a risk assessment exercise in a way that easily allows priority ranking of them. if encountered. Risk Recommendation: A suggested action that will reduce or transfer risk. share or transfer risk that align with the enterprise’s risk appetite and tolerances. or low risk. condition or event will negatively impact the financial objectives of an enterprise. This is often done through in-depth structured review of the internal practices used in industry specific companies combined with interviews of key industry personnel. (See Risk Mapping). Risk Mitigation: Actions which reduce a risk or its consequences (see Risk Strategies). reduce. Risk Financing: The mechanisms for funding risk mitigation strategies and/or funding the financial consequences of risk. condition or event that can cause loss or harm performance and profitability objectives. Risk Identification: The qualitative determination of significant risks factors that can potentially impact an enterprise’s achievement of its financial and/or strategic objectives.Risk Glossary  Risk Exposure: An activity. Risk Portfolio: A list of risk exposures at a certain time. event or condition that has a moderate or high probability of preventing achievement of the financial objectives of an enterprise Risk Factor: An action. moderate. consultants and experts. i. Risk Monitoring: Observing the effectiveness of installed risk controls and reporting the findings. Risk Profiling: The use of a tool or system to rate and/or prioritize a series of risks. Risk Sharing: Reducing the negative impact of risk by transferring some or otherwise sharing a portion of the risk. (also called Risk Register) Risk Prioritization: The ranking of risks on an appropriate scale which identifies which risks are most important to manage based upon severity. This representation often takes the form of a two-dimensional grid with probability on one axis and impact on the other axis. insurance or the financial consequences of uninsured or uninsurable risks. Risk Response: Management’s development of a set of actions to avoid. Risk Reduction: Action taken to mitigate risk while retaining it in the enterprise Risk Reporting: Distribution of information on risks to internal and/or external stakeholders. Indicates the likelihood that an individual activity. The risks that fall in the high probability/high impact quadrant are given priority risk management attention. Ian Dunn    4  9 October 2013  . A rating of “high risk” reflects the criticality of instituting risk controls to mitigate the potential negative impact. Risk Level: One of three risk levels: high.

Risk Glossary  Risk Silo: Divisions. 4) accountability. There are five major components of the amendment that are of specific interest for higher education. They include sections on 1) transparency of financial reports. Traditional Risk Management: Original form of risk management. some the components are essential good practices for all companies. departments. Sarbanes-Oxley Act: The Sarbanes-Oxley Act of 2002. commonly referred to as “SOX” or “SarBox. or transfer.” is an amendment to the Federal Securities Exchange Act of 1934. to their SEC-regulated audit clients. including actuarial services. Risk Strategies: Possible responses to risk situations such as avoidance. Although the Act includes requirements that apply to publicly held companies only. 3) board independence. acceptance. Risk Tolerance: The acceptable level of risk relative to the achievement of an objective. Ian Dunn    5  9 October 2013  . 2) corporate disclosure. reduction sharing. or other groups independently exposed to risk and acting in isolation from other risk centers. It is intended to prevent auditors from providing specific non-audit services. Risk Treatment: The process of selecting and implementing measures to modify the risk. Risk Transfer: Action taken to mitigate risk by moving responsibility for it to external parties outside the enterprise. and 5) development of ethical operating standards. focusing primarily on insurable hazard risks.