Enterprise Risk Management Common Risk Language and Definitions

Enterprise Risk Management: A process applied across the entity that is designed to identify potential risks that may affect the entity, manage risks within the entity’s risk tolerance, and support the achievement of the entity’s objectives.

Risk: Any event or action that adversely impacts the entity’s ability to achieve its objectives. Types of risks include strategic, operational, reputational, financial, technology, compliance, fraud, etc.

Mitigating activities/strategies: Actions, procedures, and processes used to manage (limit, reduce, avoid, accept, transfer, and/or share) and monitor risks.

Risk ranking: A qualitative process to prioritize risks using a high, medium and low scale considering both the potential impact (consequences) and probability of occurrence (likelihood of happening).

Risk assessment: The process used to identify and rank risks, and document mitigating strategies, monitoring, and/or reporting processes.

Risk Tolerance: The level of residual risk that an organization and its stakeholders are willing to bear within a given strategic context.

Inherent Risk: The risk present in any scenario where no attempts at mitigation have been made and no controls or other measures have been applied to reduce the risk from initial levels to levels more acceptable to the organization.

Residual Risk: The risk remaining after efforts have been made to reduce the inherent risk.