Clear definitions for every risk management term you'll encounter — from inherent risk to risk universe.
A risk scoring method where the final score equals Likelihood + Impact. This method produces a narrower score range and treats likelihood and impact as equally important.
An assessment of how well existing controls reduce the inherent risk. Often rated on a scale from None (0% reduction) to Very Strong (80–90% reduction).
The Enterprise Risk Management framework published by the Committee of Sponsoring Organizations of the Treadway Commission. It integrates ERM with strategy and performance, and is widely used in corporate governance.
The level of risk that exists before any controls or mitigating actions are applied. It represents the raw exposure of the organisation to a threat.
The consequence or severity of a risk event if it occurs. Impact is typically assessed across financial, operational, reputational, legal, and safety dimensions.
The international standard for risk management published by the International Organization for Standardization. It provides principles, a framework, and a process for managing risk that can be applied to any organisation.
A metric used to signal that the level of risk exposure is approaching or exceeding the organisation's risk appetite. KRIs provide early warning before losses occur.
The probability or frequency with which a risk event is expected to occur. In a 5-point scale, ratings range from Rare (unlikely within 10 years) to Almost Certain (expected within 12 months).
A risk scoring method where the final score equals Likelihood × Impact. This method amplifies high-likelihood, high-impact risks and is the most widely used approach.
The remaining level of risk after controls and mitigating actions have been applied to inherent risk. Residual risk is what the organisation actually lives with.
The amount and type of risk an organisation is willing to accept in pursuit of its objectives. Often expressed as a threshold or tolerance band rather than a single value.
The acceptable variation in outcomes related to specific objectives. Risk tolerance is more granular than risk appetite and is often set at the operational level.
A numerical value representing the overall level of a risk, calculated by combining likelihood and impact. Common methods include multiplicative (L × I), additive (L + I), and weighted scoring.
The strategy chosen to address a risk. Standard responses include: Accept (live with it), Mitigate (reduce it), Transfer (shift it via insurance or contract), Avoid (eliminate the activity), or Exploit (take advantage of it).
The specific actions taken to address a risk, aligned with the chosen risk response. A treatment plan documents what will be done, by whom, and by when.
A structured document or database that records identified risks, their scores, owners, response strategies, and treatment plans. The central artefact in any risk management programme.
The individual or role accountable for monitoring and managing a specific risk. The risk owner is responsible for implementing treatment actions and reporting on risk status.
A visual representation of risks plotted on a matrix by likelihood (y-axis) and impact (x-axis). Colour-coding (green, amber, red) indicates severity zones at a glance.
The complete set of risks relevant to an organisation across all categories — strategic, financial, operational, legal, reputational, and environmental. The starting point for any comprehensive risk assessment programme.
A governance model dividing risk management responsibilities across: (1) operational management, (2) risk and compliance functions, and (3) internal audit. Each line provides independent assurance.