Terms related to risk and risk management
risk appetite #
Risk appetite is the amount of risk an organization is willing to take in pursuit of objectives it deems have value. It can also be described as an organization’s risk capacity, or the maximum amount of residual risk it will accept after controls and other measures have been put in place.
risk profile #
A risk profile is a quantitative analysis of the types of threats an organization, asset, project, or individual faces.
The goal of a risk profile is to provide a nonsubjective understanding of risk by assigning numerical values to variables representing different types of threats and the dangers they pose.
Each organization has its own unique risk profile, based on the assets it wants to protect, the goals it wants to achieve, its ability to handle risks, and its willingness to do so.
Organizations use risk profiles to align their strategy and actions with their risk appetite, that is, the level of risk they are willing to accept after the relevant controls have been put in place.
risk avoidance #
Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization and its assets.
It is a specific type of approach to managing risk, requiring a methodical process. Leaders must identify and assess the risks their organization faces and determine how they will eliminate the chances of those risks causing damage to the organization.
It is a deliberate tactic, it is not the same as failing to identify a risk or ignoring it altogether.
residual risk #
Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.
risk management #
Risk management is the process of identifying, assessing, and controlling threats to an organization’s capital and earnings.
These risks stem from a variety of sources including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents, and natural disasters.
A successful risk management program helps an organization consider the full range of risks it faces. Risk management also examines the relationship between risks and the cascading impact they could have on an organization’s strategic goals.
This holistic approach to managing risk is sometimes described as enterprise risk management because of its emphasis on anticipating and understanding risk across an organization. In addition to a focus on internal and external threats, enterprise risk management (ERM) emphasizes the importance of managing positive risk. Positive risks are opportunities that could increase business value or, conversely, damage an organization if not taken. Indeed, the aim of any risk management program is not to eliminate all risk but to preserve and add to enterprise value by making smart risk decisions.
In any risk management strategy, the goals are to either avoid, mitigate or eliminate the risk.
Depending on the requirements of an organization, risk can be managed with as little as a spreadsheet or as much as a dedicated application.
risk reporting #
Risk reporting is a method of identifying risks tied to or potentially impacting an organization’s business processes.
The identified risks are usually compiled into a formal risk report, which is then delivered to an organization’s senior management or to various management teams throughout the organization.
Types of risk reporting #
A fundamental truth of risk management is that risks vary from one another in scope. Some risks are relatively minor in scope. For example, a minor risk might delay a project’s completion by a day or two. Conversely, businesses might occasionally face major risks that jeopardize the wellbeing of the entire organization.
Not only do risks vary by severity, but they can also vary in terms of their impact. Some risks affect a whole organization or even an entire industry. Other risks might only impact a single department or a particular account.